topic Re: splunklib sourcetype in Splunk Dev

splunklib sourcetype

stevedhoward — Tue, 29 Sep 2020 12:52:01 GMT

In the splunk UI, I can have a query such as the following...

host="cmhlpecomweb*" sourcetype=access_combined "GET /check-out/actions/gift-card-submit.jsp"

I have been unable to find how to do this through the splunklib python client.

I have tried numerous combinations, and can find no referecne to how to do this in the Splunk documention.

Examples of what has been tried

service.jobs.export("host=cmhlpecomweb* sourcetype=access_combined | search GET /check-out/actions/gift-card-submit.jsp",
**{"earliest_time":"2017-02-13T10:00:00.000-07:00"}))

service.jobs.export("regex field= host=cmhlpecomweb* sourcetype=access_combined | search GET /check-out/actions/gift-card-submit.jsp",
**{"earliest_time":"2017-02-13T10:00:00.000-07:00"}))

service.jobs.export("search GET /check-out/actions/gift-card-submit.jsp | host=cmhlpecomweb* sourcetype=access_combined ",
**{"earliest_time":"2017-02-13T10:00:00.000-07:00"}))

service.jobs.export("search GET /check-out/actions/gift-card-submit.jsp host=cmhlpecomweb* sourcetype=access_combined ",
**{"earliest_time":"2017-02-13T10:00:00.000-07:00"}))

Surely this can't be this difficult, but after spending the better part of an afternoon, I give up. Is this documented, or even possible? If documented, a pointer to that info would be great!

Re: splunklib sourcetype

jkat54 — Wed, 15 Feb 2017 15:25:34 GMT

Are you using the results reader?

http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Search/ExportdatausingSDKs

import splunklib.client as client
import splunklib.results as results
service = client.connect(…)
rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head

Re: splunklib sourcetype

stevedhoward — Wed, 15 Feb 2017 15:25:35 GMT

I think I found this, as the following works...

rr = results.ResultsReader(service.jobs.export("search host=\"cmhlpecomweb*\" sourcetype=access_combined GET /catalog/actions/giftcard-balance-submit.jsp", 
                                               **{"earliest_time":"2016-12-31T23:57:00.000-05:00",
                                                  "latest_time":"2017-01-01T00:00:00.000-05:00"}))

I think a more complete example should be in the docs for this, rather than search * | head 5.

Regardless, it works, so thanks to anyone that gave this some thought.

Re: splunklib sourcetype

stevedhoward — Wed, 15 Feb 2017 15:31:53 GMT

Hi,

I am, but the syntax I had above consistently threw exceptions. I have since found that I can simply prefix the same search string with "search" (go figure :)), and escape the double quotations for host. After that, it works.

I will wait to verify I am not still missing anything, and then accept your answer.

Thanks,

Steve

Re: splunklib sourcetype

jkat54 — Wed, 15 Feb 2017 16:29:45 GMT

you can escape your quotes if you need them just add a \ before them ... \" should work... maybe \"