Developing for Splunk Enterprise

Possible Splunk SDK bug

Path Finder

This could be a mistake in setting a flag from my side, or a possible bug in the Splunk SDK. Before I spend more time to debug the Splunk python SDK, I want to get pointers/advice.

I followed this post http://dev.splunk.com/view/python-sdk/SP-CAAAEE5 to run a search job using the Splunk SDK. As far as I can tell, the search job was created with a good job id and finished properly. The https://my_host8089/servicesNS/nobody/search/search/jobs/{job_id}/ page shows two events in XML format as expected.

But the Splunk SDK returns empty result. The debugger shows that the job.results() only gets the first line of the XML file shown above. So it can't extract any event from the results.

Seems like I need to debug the Splunk SDK code now. Any better suggestions please?

Thanks in advance!

0 Karma
1 Solution

Path Finder

Ok, answering my question again!

This is caused by a delay through the REST API. I used
| makeresults .....
to simulate events. Right after that, if I run
| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"
from the Splunk Web, I can get the results right away. But running it using the Splunk python SDK won't get anything. It takes up to 5-10 minutes before the Splunk python SDK shows results.

So might not be a big problem for the real cases.

View solution in original post

0 Karma

Path Finder

Ok, answering my question again!

This is caused by a delay through the REST API. I used
| makeresults .....
to simulate events. Right after that, if I run
| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"
from the Splunk Web, I can get the results right away. But running it using the Splunk python SDK won't get anything. It takes up to 5-10 minutes before the Splunk python SDK shows results.

So might not be a big problem for the real cases.

View solution in original post

0 Karma

Path Finder

I need to be more specific here.

Running a search job using the SDK works most of the time. But this is the one causing trouble found so far. A search:
| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"

This is a saved search from ESCU.

Running this from Splunk Web, it shows two events as expected. Running this using the Splunk python SDK, I can see that a search job was created and finished successfully. Using the search id associated with the job, I can check that https://my_host:8089/servicesNS/nobody/search/search/jobs/{job_id}/results shows two events in XML format.

But the python SDK only returns an empty list. According to the debugger, job.results() only gets the first line of the XML file.

0 Karma