Developing for Splunk Enterprise

Export Splunk results automatically for every 3 hours using Python

Explorer

I am very new to Splunk and i am trying to automate the manual search and export with Python(Splunk SDK).
I have searched most of the answers relevant to Splunk SDK,But none is straight forward.

Here is my code which i have tried -

import splunklib.client as client
import splunklib.results as results

c =
client.connect(host='cicloga-enterprise.net',
port=8089,
username='username',
password='password')

savedsearches = c.savedsearches
savedsearches.create('mysavedsearch',
'search index=cgh
new876544 | head 1')
assert 'my
savedsearch' in
saved
searches
savedsearches.delete('mysavedsearch')
assert 'my
savedsearch' not in
saved
searches

With the above python code i am able to connect to Splunk host and getting the job results , But i am not getting results for my search "'search index=cghnew876544 | head 1"

Ultimately i need a logic/help to run a splunk query to export the splunk results to CSV.
I have already gone through this link - https://answers.splunk.com/answers/2651/exporting-search-results-automatically.html?utm_source=typea...

But that is not something which interacting directly with Python.

Kindly help me with the above requirement.

0 Karma
1 Solution

Explorer

Now i am able to get the results from splunk - Its working fine.

from time import sleep import
splunklib.client as client import
splunklib.results as results count=0
HOST = "cicloga-enterprise.net" PORT =
8089 USERNAME = "SID" PASSWORD =
"Password" service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)

searchquery = "search index=cfsclassic_81712 | head 10"

kwargsnormalsearch = {"execmode": "normal"}

job = service.jobs.create(search_query,

**kwargsnormalsearch) rr = results.ResultsReader(service.jobs.export("search
index=cgh
new876544 | stats count by
host")) for result in rr:
if isinstance(result, results.Message):
# Diagnostic messages may be returned in the results
print '%s: %s' % (result.type, result.message)
elif isinstance(result, dict):
# Normal events are returned as dicts
print result assert rr.is
preview == False

View solution in original post

0 Karma

Explorer

Now i am able to get the results from splunk - Its working fine.

from time import sleep import
splunklib.client as client import
splunklib.results as results count=0
HOST = "cicloga-enterprise.net" PORT =
8089 USERNAME = "SID" PASSWORD =
"Password" service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)

searchquery = "search index=cfsclassic_81712 | head 10"

kwargsnormalsearch = {"execmode": "normal"}

job = service.jobs.create(search_query,

**kwargsnormalsearch) rr = results.ResultsReader(service.jobs.export("search
index=cgh
new876544 | stats count by
host")) for result in rr:
if isinstance(result, results.Message):
# Diagnostic messages may be returned in the results
print '%s: %s' % (result.type, result.message)
elif isinstance(result, dict):
# Normal events are returned as dicts
print result assert rr.is
preview == False

View solution in original post

0 Karma