Developing for Splunk Enterprise

How can I filter job results on relative time?

cy0926
New Member

I'm able to read all results of a job through

 job_obj.results() 

using python-sdk.
I want to get all results in the last 15 mins.
It says in the doc that I can pass some params in the result() method.
What are the parameters for that?
Where is the documentation for available params?

0 Karma
1 Solution

ryanoconnor
Builder
0 Karma

ryanoconnor
Builder
0 Karma

cy0926
New Member

so I cannot filter results on relative time?

0 Karma

ryanoconnor
Builder

Can you tell me a little bit more about your use case?

0 Karma

cy0926
New Member

I'm getting alert names from service. And for each alert name, I get the saved_search of that alert from service.saved_searches. Then the latest job_obj from saved_search.history(),
then I want to get all results of this job_obj for any relative time such as the last 15 mins or the last hour.

Is it possible and is there a faster and more convenient way of doing that? Thanks.

0 Karma

ryanoconnor
Builder

I see, have you looked at the following?

http://dev.splunk.com/view/python-sdk/SP-CAAAER5

They give some examples in there, you should be able to pass the same parameters are in the rest API seen here: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7...

If you read the REST API Docs, you should be able to also pass a post search command parameter. so effectively something like

args = {"count": 100}
job_obj.results(args)

I think should turn 100 results.

You'd have to play around with the search parameter since you want to do a timing thing but maybe

args = {"search": "* earliest=-15m@m"}
job_obj.results(args)

0 Karma