https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9057#M4 <P>According to the latest documentation, pydoc is now at:</P> <P>$SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/lib/python2.6/pydoc.py -p 8080</P> Mon, 28 Sep 2020 09:13:12 GMT esachs 2020-09-28T09:13:12Z https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9054#M1 <P>I have existing Python scripts that pull data from various sources. I would like to use Splunk's built-in Python SDK layer in my own script so that I can run searches programmatically.</P> Tue, 10 Nov 2009 03:17:36 GMT https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9054#M1 Johnvey 2009-11-10T03:17:36Z https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9055#M2 <P>Yes, Splunk includes its own copy of Python along with modules that talk directly to the Splunk backend. </P> <H2>Interactive Splunk Python prompt</H2> <P>If you have Splunk installed already, you can use the interactive Python interpreter to try out the various modules.</P> <P>1) start the Python prompt</P> <PRE><CODE>$SPLUNK_HOME/bin/splunk cmd python </CODE></PRE> <P>2) import the required modules</P> <PRE><CODE>import splunk.auth, splunk.search </CODE></PRE> <P>3) obtain a session key</P> <PRE><CODE>key = splunk.auth.getSessionKey('admin','changeme') # replace with your credentials </CODE></PRE> <P>The SDK will cache the session key, so you don't have to explicitly pass it while in the interactive prompt.</P> <P>4) run a basic search</P> <PRE><CODE>my_job = splunk.search.dispatch('search error | timechart span=1h count', namespace='search', earliest_time='-24h') </CODE></PRE> <P>This command will start a search job for all occurrences of the keyword <CODE>error</CODE>, in the context of the <CODE>search</CODE> app, and count them on a per-hour basis for data that occurred over the last 24 hours. The handle to the job is represented by the <CODE>my_job</CODE> object, which is a splunk.search.SearchJob class.</P> <P>5) inspect the various job properties</P> <P>The <CODE>my_job</CODE> object has a multitude of properties that describe the current job. Examples are:</P> <PRE><CODE>&gt;&gt;&gt; my_job.isDone True &gt;&gt;&gt; my_job.eventCount 13264 &gt;&gt;&gt; my_job.resultCount 24 </CODE></PRE> <P>The complete list of properties can be enumerated by printing the job object:</P> <PRE><CODE>&gt;&gt;&gt; print my_job createTime 2009-11-09T10:48:03.000-08:00 cursorTime 2009-09-09T01:40:20.000-07:00 delegate None doneProgress 1.0 dropCount 0 eai:acl {'sharing': 'global', 'perms': {'read': ['admin'], 'write': ['admin']}, 'app': 'search', 'modifiable': 'true', 'can_write': 'true', 'owner': 'admin'} earliestTime 2002-09-12T17:02:52.000-07:00 eventAvailableCount 100 eventCount 100 eventFieldCount 17 eventIsStreaming True eventIsTruncated False eventSearch search error | head 100 eventSorting desc isDone True isFailed False isFinalized False isPaused False isRealTimeSearch False isSaved False isSavedSearch False isZombie False keywords error label None latestTime 2009-09-09T01:40:21.000-07:00 messages {} modifiedTime 2009-11-09T10:48:03.000-08:00 priority 5 remoteSearch litsearch error | fields keepcolorder=t * | prehead limit=100 null=false keeplast=false reportSearch None request {'search': 'search error | head 100'} resultCount 100 resultIsStreaming True resultPreviewCount 100 runDuration 3.38 scanCount 2803 search search error | head 100 searchProviders ['decider.local-johnvey'] sid 1257792483.115 statusBuckets 300 ttl 600 </CODE></PRE> <P>6) get the raw events</P> <P>You can get the raw events that the index returned by:</P> <PRE><CODE>&gt;&gt;&gt; for event in my_job.events: print event </CODE></PRE> <P>7) get the transformed results</P> <P>Since the search command contains <CODE>timechart</CODE>, a transforming command, the relevant summarized data is contained in the <CODE>results</CODE> property:</P> <PRE><CODE>&gt;&gt;&gt; for result in my_job.results: print result </CODE></PRE> <P>In this iterator, the <CODE>result</CODE> object houses detailed information about each result:</P> <PRE><CODE>&gt;&gt;&gt; result0 = my_job.results[0] &gt;&gt;&gt; result0.time '2009-09-09T01:40:21-0700' &gt;&gt;&gt; result0.fields {'count': 100, '_time': 2009-09-09T01:40:21-0700} &gt;&gt;&gt; result0['count'] 100 </CODE></PRE> <P><span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span> clean up</P> <P>Every search job executed will retain its data for a period of time (defined by the <CODE>ttl</CODE> dispatch property). When you are finished with the job, mark the job for removal:</P> <PRE><CODE>&gt;&gt;&gt; my_job.cancel() </CODE></PRE> <H2>Scripting against the built-in Python SDK</H2> <P>You can write custom Python scripts that use the built-in SDK by executing them in the Splunk environment. Assuming that you have a script called 'my_searcher.py':</P> <PRE><CODE>$ cd $SPLUNK_HOME/bin $ vi my_searcher.py # create your scripts $ splunk cmd python my_searcher.py </CODE></PRE> <H2>Installing the Python SDK on an server that doesn't have Splunk</H2> <P>Currently, there isn't a packaging script to easily bring the necessary Splunk Python components to a standalone machine. However, those that are familiar with Python can manually setup such an environment.</P> <P>Splunk Python modules:</P> <PRE><CODE>$SPLUNK_HOME/lib/python2.6/python-site/splunk/ </CODE></PRE> <P>Python dependencies:</P> <P>1) python 2.5+ 2) lxml: <A href="http://codespeak.net/lxml/" rel="nofollow">http://codespeak.net/lxml/</A> 3) httplib2: <A href="http://code.google.com/p/httplib2/" rel="nofollow">http://code.google.com/p/httplib2/</A></P> <H2>Generating SDK documentation</H2> <P>You can generate documentation on the various Splunk modules by running <CODE>pydoc</CODE> within the Splunk environment:</P> <PRE><CODE>$ $SPLUNK_HOME/bin/splunk cmd pydoc -p 8800 </CODE></PRE> <P>This will start a local webserver that will serve the code documentation for Splunk. Under the <CODE>site-packages</CODE> header there is a link for `splunk', which contains the entire SDK tree.</P> Tue, 10 Nov 2009 03:17:53 GMT https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9055#M2 Johnvey 2009-11-10T03:17:53Z https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9056#M3 <P>Is pydoc part of all Splunk distributions? I'm running a 4.0.9 indexer on RHEL5.3 x86_64, as installed by the RPM, and get this when trying to generate the docs:</P> <P>$ /opt/splunk/bin/splunk cmd pydoc -p 8800<BR /> couldn't run "/opt/splunk/bin/pydoc": No such file or directory</P> <P>Indeed, it doesn't exist:</P> <P>$ ls -l /opt/splunk/bin/p*<BR /> parsetest pcregextest python python2.6</P> Fri, 26 Mar 2010 16:49:45 GMT https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9056#M3 Glenn 2010-03-26T16:49:45Z https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9057#M4 <P>According to the latest documentation, pydoc is now at:</P> <P>$SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/lib/python2.6/pydoc.py -p 8080</P> Mon, 28 Sep 2020 09:13:12 GMT https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9057#M4 esachs 2020-09-28T09:13:12Z https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9058#M5 <P>There is also a new Splunk Python SDK on GitHub. You can access it here: <A href="https://github.com/splunk/splunk-sdk-python">https://github.com/splunk/splunk-sdk-python</A></P> <P>Any questions - <A href="mailto:psanford@splunk.com">psanford@splunk.com</A> or ping us on Twitter: @splunkdev </P> Wed, 28 Sep 2011 16:59:25 GMT https://community.splunk.com/t5/Splunk-Dev/Can-I-use-Splunk-s-built-in-Python-SDK-in-my-own-scripts/m-p/9058#M5 psanford_splunk 2011-09-28T16:59:25Z