Developing for Splunk Enterprise

Export Splunk results automatically for every 3 hours using Python

pchp348
Explorer

I am very new to Splunk and i am trying to automate the manual search and export with Python(Splunk SDK).
I have searched most of the answers relevant to Splunk SDK,But none is straight forward.

Here is my code which i have tried -

import splunklib.client as client
import splunklib.results as results

c =
client.connect(host='cicloga-enterprise.net',
port=8089,
username='username',
password='password')

saved_searches = c.saved_searches
saved_searches.create('my_saved_search',
'search index=cgh_new_876544 | head 1')
assert 'my_saved_search' in
saved_searches
saved_searches.delete('my_saved_search')
assert 'my_saved_search' not in
saved_searches

With the above python code i am able to connect to Splunk host and getting the job results , But i am not getting results for my search "'search index=cgh_new_876544 | head 1"

Ultimately i need a logic/help to run a splunk query to export the splunk results to CSV.
I have already gone through this link - https://answers.splunk.com/answers/2651/exporting-search-results-automatically.html?utm_source=typea...

But that is not something which interacting directly with Python.

Kindly help me with the above requirement.

0 Karma
1 Solution

pchp348
Explorer

Now i am able to get the results from splunk - Its working fine.

from time import sleep import
splunklib.client as client import
splunklib.results as results count=0
HOST = "cicloga-enterprise.net" PORT =
8089 USERNAME = "SID" PASSWORD =
"Password" service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)

search_query = "search index=cfs_classic_81712 | head 10"

kwargs_normalsearch = {"exec_mode": "normal"}

job = service.jobs.create(search_query,

**kwargs_normalsearch) rr = results.ResultsReader(service.jobs.export("search
index=cgh_new_876544 | stats count by
host")) for result in rr:
if isinstance(result, results.Message):
# Diagnostic messages may be returned in the results
print '%s: %s' % (result.type, result.message)
elif isinstance(result, dict):
# Normal events are returned as dicts
print result assert rr.is_preview == False

View solution in original post

0 Karma

pchp348
Explorer

Now i am able to get the results from splunk - Its working fine.

from time import sleep import
splunklib.client as client import
splunklib.results as results count=0
HOST = "cicloga-enterprise.net" PORT =
8089 USERNAME = "SID" PASSWORD =
"Password" service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)

search_query = "search index=cfs_classic_81712 | head 10"

kwargs_normalsearch = {"exec_mode": "normal"}

job = service.jobs.create(search_query,

**kwargs_normalsearch) rr = results.ResultsReader(service.jobs.export("search
index=cgh_new_876544 | stats count by
host")) for result in rr:
if isinstance(result, results.Message):
# Diagnostic messages may be returned in the results
print '%s: %s' % (result.type, result.message)
elif isinstance(result, dict):
# Normal events are returned as dicts
print result assert rr.is_preview == False

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.