https://community.splunk.com/t5/Splunk-Dev/How-to-convert-Intersplunk-s-readResults-to-dataframe/m-p/215034#M2840 <P>You better to use service jobs as following:</P> <H1>Function to Perform a Splunk search</H1> <P>def execute_query(searchquery_normal, <BR /> kwargs_normalsearch={"exec_mode": "normal"}, <BR /> kwargs_options={"output_mode": "csv", "count": 1000000}):<BR /> # Execute Search<BR /> job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)</P> <PRE><CODE># A normal search returns the job's SID right away, so we need to poll for completion while True: while not job.is_ready(): pass stats = {"isDone": job["isDone"], "doneProgress": float(job["doneProgress"])*100, "scanCount": int(job["scanCount"]), "eventCount": int(job["eventCount"]), "resultCount": int(job["resultCount"])} status = ("\r%(doneProgress)03.1f%% %(scanCount)d scanned " "%(eventCount)d matched %(resultCount)d results") % stats sys.stdout.write(status + '\n') sys.stdout.flush() if stats["isDone"] == "1": sys.stdout.write("\nDone!") break time.sleep(0.5) # Get the results and display them csv_results = job.results(**kwargs_options).read() job.cancel() for row in csv_results: if row[0] not in (None, ""): df = pd.read_csv(StringIO.StringIO(csv_results), encoding='utf8', sep=',', low_memory=False) df.to_csv(filename_new, sep=',', encoding='utf-8') break break </CODE></PRE> <P>you can find whole project from following:<BR /> <A href="https://github.com/selcukozer/splunk_python" target="_blank">https://github.com/selcukozer/splunk_python</A></P> Tue, 29 Sep 2020 19:24:26 GMT selcukozer 2020-09-29T19:24:26Z https://community.splunk.com/t5/Splunk-Dev/How-to-convert-Intersplunk-s-readResults-to-dataframe/m-p/215032#M2838 <P>Hi,</P> <P>I am trying to add a Python script as a Splunk custom command and I'm having trouble reading the data from Intersplunk and formatting it as a pandas dataframe. I have:</P> <PRE><CODE>results = splunk.Intersplunk.readResults() df = pandas.DataFrame(results) ip_list = df['ip'].tolist() </CODE></PRE> <P>So I'm converting the list of dictionaries returned by <CODE>readResults()</CODE> to a pandas DF and then extracting what would be the csv "ip" column as a list. But I am getting an error on that last code line.</P> <P>I have also tried <CODE>df = pandas.DataFrame.from_records(results)</CODE> and <CODE>ip_list = df['ip'].values.tolist()</CODE>, but it's not working.</P> <P>I'd appreciate any help.</P> Mon, 08 Aug 2016 14:32:46 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-convert-Intersplunk-s-readResults-to-dataframe/m-p/215032#M2838 agnesramos 2016-08-08T14:32:46Z https://community.splunk.com/t5/Splunk-Dev/How-to-convert-Intersplunk-s-readResults-to-dataframe/m-p/215033#M2839 <P>Some more info will help - What error are you getting? What does your 'ip' field look like?</P> <P>umm and also, why are you converting it to a DF just to go back to a list right away?</P> Fri, 01 Dec 2017 21:31:23 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-convert-Intersplunk-s-readResults-to-dataframe/m-p/215033#M2839 danbar6 2017-12-01T21:31:23Z https://community.splunk.com/t5/Splunk-Dev/How-to-convert-Intersplunk-s-readResults-to-dataframe/m-p/215034#M2840 <P>You better to use service jobs as following:</P> <H1>Function to Perform a Splunk search</H1> <P>def execute_query(searchquery_normal, <BR /> kwargs_normalsearch={"exec_mode": "normal"}, <BR /> kwargs_options={"output_mode": "csv", "count": 1000000}):<BR /> # Execute Search<BR /> job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)</P> <PRE><CODE># A normal search returns the job's SID right away, so we need to poll for completion while True: while not job.is_ready(): pass stats = {"isDone": job["isDone"], "doneProgress": float(job["doneProgress"])*100, "scanCount": int(job["scanCount"]), "eventCount": int(job["eventCount"]), "resultCount": int(job["resultCount"])} status = ("\r%(doneProgress)03.1f%% %(scanCount)d scanned " "%(eventCount)d matched %(resultCount)d results") % stats sys.stdout.write(status + '\n') sys.stdout.flush() if stats["isDone"] == "1": sys.stdout.write("\nDone!") break time.sleep(0.5) # Get the results and display them csv_results = job.results(**kwargs_options).read() job.cancel() for row in csv_results: if row[0] not in (None, ""): df = pd.read_csv(StringIO.StringIO(csv_results), encoding='utf8', sep=',', low_memory=False) df.to_csv(filename_new, sep=',', encoding='utf-8') break break </CODE></PRE> <P>you can find whole project from following:<BR /> <A href="https://github.com/selcukozer/splunk_python" target="_blank">https://github.com/selcukozer/splunk_python</A></P> Tue, 29 Sep 2020 19:24:26 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-convert-Intersplunk-s-readResults-to-dataframe/m-p/215034#M2840 selcukozer 2020-09-29T19:24:26Z