Splunk Dev

Splunk Python API example not encoding URL properly

titleistfour
Explorer

I'm trying to work with the lastest Splunk Python SDK, version 1.3.0 I believe, using Python 2.6.6. Our Splunk server is 6.1.5. Working through the examples provided, I was unable to use examples/saved_search/saved_search.py to list out the details of a specific saved search.

[user@web saved_search]$ ./saved_search.py list --name="SLB server disabled"
Traceback (most recent call last):
  File "./saved_search.py", line 216, in <module>
    main(sys.argv[1:])
  File "./saved_search.py", line 206, in main
    result = context.get("saved/searches/%s" % name, **kwargs)
  File "./../../splunklib/binding.py", line 240, in wrapper
    return request_fun(self, *args, **kwargs)
  File "./../../splunklib/binding.py", line 62, in new_f
    val = f(*args, **kwargs)
  File "./../../splunklib/binding.py", line 585, in get
    response = self.http.get(path, self._auth_headers, **query)
  File "./../../splunklib/binding.py", line 1055, in get
    return self.request(url, { 'method': "GET", 'headers': headers })
  File "./../../splunklib/binding.py", line 1110, in request
    raise HTTPError(response)
splunklib.binding.HTTPError: HTTP 404 Not Found --
 In handler 'savedsearch': Could not find object id=SLB%20server%20disabled
[user@web saved_search]$

However, if I take a look at the URL for that search in Splunk, I see that the encoding is different.

https://web:8000/en-US/app/search/alert?s=%2FservicesNS%2Fnobody%2Fsearch%2Fsaved%2Fsearches%2FSLB%2520server%2520disabled

Anyone know what might be going on here? I've set my version=6.1 in my ~/.splunkrc file. Other examples seem to work ok.

Thanks, Jay

0 Karma

Flynt
Splunk Employee
Splunk Employee

Looks like the issue here may be this line in 177 of saved_search.py

kwargs[key] = urllib.quote(opts.kwargs[key])

Which may be encoding the saved search name in a way that this version of Splunk doesn't like. Try commenting that line out and adding this in its place

kwargs[key] = opts.kwargs[key]
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...