https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342113#M5288 <P>I've considered that, but I didn't see anything about token usage like in the <CODE>| savedsearch</CODE> command.</P> Mon, 18 Dec 2017 09:39:03 GMT rharrisssi 2017-12-18T09:39:03Z https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342108#M5283 <P>I've troubleshot this for awhile, must not be comprehending this correctly. Basically I'm trying to use the | savedsearch command to execute a saved search. Straight forward, right? The hitch is that I'm trying to do it via the API using the SDK, but when I've tried it cannot find the search by name I specify; I can copy/paste direct into Splunk and it works, so I'm good there.</P> <P>Basically anyone who is able to use the Splunk SDK to execute an arbitrary SPL query, but within the context of a specific app, could likely help me; but it's appreciated regardless! Here is some basic code to describe what I'm doing:</P> <PRE><CODE>config = {"searches":["search index=firewall | ... | outputlookup mylookup","..."]} service = client.connect(host="foo",username="user",password="pass",app="my_app_name") jobs = service.jobs for search in config["searches"]: myargs = {"exec_mode":"normal"} job = jobs.create(search,**myargs) while True: while not job.is_ready(): pass if job["isDone"] == "1": break sleep(2) </CODE></PRE> <P>That is the most relevant piece of the code. I'm not looking to bring the results back, which is why you don't see that. I'm more interested in executing a search that is used to populate some lookups, and use lookups, which is why I need to figure out why the app context is not working for me. Perhaps I'm just doing it wrong!</P> Fri, 15 Dec 2017 19:07:25 GMT https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342108#M5283 rharrisssi 2017-12-15T19:07:25Z https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342109#M5284 <P>Instead of using <CODE>| savedsearch</CODE> command, try using SavedSearch object, like specified here:</P> <P><A href="http://dev.splunk.com/view/java-sdk/SP-CAAAEKY#runsaved">http://dev.splunk.com/view/java-sdk/SP-CAAAEKY#runsaved</A></P> Fri, 15 Dec 2017 20:48:51 GMT https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342109#M5284 somesoni2 2017-12-15T20:48:51Z https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342110#M5285 <P><A href="http://dev.splunk.com/view/python-sdk/SP-CAAAEK2#listsaved">Here is a link to the Python SDK Saved Search examples</A></P> <P>In short try iterating over the saved searches in your app context like : </P> <PRE><CODE>savedsearches = service.saved_searches for savedsearch in savedsearches: print " " + savedsearch.name print " Query: " + savedsearch["search"] </CODE></PRE> Fri, 15 Dec 2017 21:09:52 GMT https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342110#M5285 Damien_Dallimor 2017-12-15T21:09:52Z https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342111#M5286 <P>I can run saved searches in a specific context without any problem using the SDK.</P> <P>I use the following code:</P> <PRE><CODE>instance = client.connect(host="localhost", username="user", password="pass", app="my_app") job = instance.jobs.create("| savedsearch Rule1") </CODE></PRE> <P>Where Rule1 is saved search with my_app permissions.<BR /> If your saved search has private permissions, you will have to add owner="search_owner" to the parameters!</P> <P>You can try add the following at the beginning of the script, that will print SDK debug logs in the console and could be helpful!</P> <PRE><CODE>import logging logging.basicConfig(level=logging.DEBUG) </CODE></PRE> Tue, 29 Sep 2020 17:17:53 GMT https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342111#M5286 damien_chillet 2020-09-29T17:17:53Z https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342112#M5287 <P>Thank you for your idea!</P> Mon, 18 Dec 2017 09:38:22 GMT https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342112#M5287 rharrisssi 2017-12-18T09:38:22Z https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342113#M5288 <P>I've considered that, but I didn't see anything about token usage like in the <CODE>| savedsearch</CODE> command.</P> Mon, 18 Dec 2017 09:39:03 GMT https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342113#M5288 rharrisssi 2017-12-18T09:39:03Z https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342114#M5289 <P>This has puzzled me too. Turned out, default connect parameters don't give you access to objects that are set to "private" by other users. To get that, you need to explicitly specify it with wildcard, which is "-". Put that in your ~/.splunkrc or manually set in connect() method. </P> <PRE><CODE># Splunk host (default: localhost) host=HOSTNAMEHERE # Splunk admin port (default: 8089) port=8089 # Splunk username username=USERNAMEHERE # Splunk password password=PASSHERE # Access scheme (default: https) scheme=https # Your version of Splunk (default: 5.0) version=6.6.4 #app context app=- #owner wildcard owner=- </CODE></PRE> <P>After that, you should be able to see all objects. For example this should return all searches (global, app, user) from all apps: </P> <PRE><CODE>def main(): opts = parse(sys.argv[1:], {}, ".splunkrc") service = client.connect(**opts.kwargs) savedsearches = service.saved_searches for s in savedsearches: print s.name, s.access["owner"], s.access["sharing"] </CODE></PRE> <P>I hope it helps!</P> Thu, 25 Jan 2018 07:22:37 GMT https://community.splunk.com/t5/Splunk-Dev/SDK-and-specifying-App-context-namespace/m-p/342114#M5289 aliakseidzianis 2018-01-25T07:22:37Z