I have just started playing around with the python REST API for a project i have in mind. Please forgive me as this is my first real attempt at scripting/programming anything really. I'm using Python to query Splunk.
Anyway based on the examples i found on the website, this is a part of the code:
request = urllib2.Request(base_url + '/servicesNS/%s/search/search/jobs/export' % (username),
data = urllib.urlencode({'search': search_query,'output_mode': 'csv'}),
headers = { 'Authorization': ('Splunk %s' %session_key)})
search_results = urllib2.urlopen(request)
returned_data = search_results.read()
Here is an example output (i have on purpose only selected two fields and 3 events for each)
"_time",Service
"2015-06-10 18:09:08.000 BST","dnsmasq-dhcp[472]"
"2015-06-10 18:09:08.000 BST","dnsmasq-dhcp[472]"
"2015-06-10 17:48:04.000 BST","dnsmasq-dhcp[472]"
When printing the value of returned_data, i can see all the information i expect. However, the variable has a type of string so i need to convert it to something, but not sure what. The end aim is to be able to compare the different values in the fields. Would i need to convert the above output to a dictionary or a list ? Also, should i maybe be trying to export the results from splunk in a different format than csv?
This is alot easier using the Splunk Python SDK
Example code doing mock String compare against the _raw field from the export search results :
import splunklib.results as results
import splunklib.client as client
def compare(val_a, val_b):
return val_a == val_b
if __name__ == '__main__':
service = client.connect(host='localhost',port=8089,username='admin',password='abc')
kwargs_export = {"earliest_time": "-1h",
"latest_time": "now",
"search_mode": "normal"}
searchquery_export = "search index=_internal"
exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export)
reader = results.ResultsReader(exportsearch_results)
foo_field = 'foo'
for result in reader:
if isinstance(result, dict):
raw_field = result['_raw']
print compare(raw_field,foo_field)
This is alot easier using the Splunk Python SDK
Example code doing mock String compare against the _raw field from the export search results :
import splunklib.results as results
import splunklib.client as client
def compare(val_a, val_b):
return val_a == val_b
if __name__ == '__main__':
service = client.connect(host='localhost',port=8089,username='admin',password='abc')
kwargs_export = {"earliest_time": "-1h",
"latest_time": "now",
"search_mode": "normal"}
searchquery_export = "search index=_internal"
exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export)
reader = results.ResultsReader(exportsearch_results)
foo_field = 'foo'
for result in reader:
if isinstance(result, dict):
raw_field = result['_raw']
print compare(raw_field,foo_field)