Python SDK and Rest endpoint /search/jobs are not ...

strive · ‎11-30-2018

Hi,

We extensively use splunklib.client and service.jobs to create jobs, retrieve jobs and iter over, and set ttl. All these things were working fine in Splunk 6.4.5 & Python SDK 1.6.2.

In Splunk 7.0.7 & Python SDK 1.6.2, the service.jobs.iter(search=query) and job.set_ttl are not working. More details below.

We post search jobs along with custom parameters. Later we retrieve the jobs matching some custom parameters.
For example: If custom.notify_method="email", custom.notify_server="my mail server" are our custom parameters

query='custom.notify_method="email" AND custom.notify_server="my mail server"'
service.jobs.iter(search=query)

returns nothing.

for job in service.jobs:
    job.set_ttl(60)

The ttl and eai:acl.ttl are set to 60. After 60 seconds, the ttl value becomes 0 but the eai:acl.ttl value remains as 60.
The job never expires and it stays for 7 days.
Why the jobs are not getting deleted after 60 seconds even though the ttl value has been updated to 0?

Both the above mentioned issues are in Splunk 7.0.7 & Python SDK 1.6.2. But they were working as intended in 6.4.5 and SDK 1.6.2

Any pointers to solve these issues.

Thanks,
Strive

strive · ‎12-09-2018

Splunk team have told that it is a bug and it will be fixed.

Python SDK and Rest endpoint /search/jobs are not working as intended in setting ttl and querying custom parameters

Happy CX Day, Splunk Community!

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas