Developing for Splunk Enterprise

Too many possible results returned for search?

Explorer

Hi, bit of background information. I have a splunk enterprise server and I'm working on writing a script to search stuff for data I want to pull from it. (Using python 3 with Splunk SDK (Splunklib.client, Splunklib.requests))

The way I am currently doing it is that we have an audit viewer which can be used to run a search, this viewer for example also shows the query string, so I am using the same query string when I use my script. The problem is say I run search on my audit viewer, I'll get two results back, but when I use the exact same string, I get like 12k lines of results back, which I'm not sure is relevant or not.

This is how I am running the search atm:

def start():
    # Connect to splunk servers.
    login()
    # Get input of various search parameters.
    query = input("Enter query string, you can create it using the audit viewer: ")
    query = "search " + query
    # Get results and start getting them.
    f = open("output.txt", 'w')
    rr = results.ResultsReader(service.jobs.export(query))
    for result in rr:
        if isinstance(result, results.Message):
            # Diagnostic messages may be returned in the results
            print(result.type, result.message)
        elif isinstance(result, dict):
            # Normal events are returned as dicts
            print(result, file = f)
    assert rr.is_preview == False
    f.close()

And my file prints out a ton of OrderedDicts of information that seems to me shouldn't be there.

So how do I make sure I only get the results which I perceive is the correct amount (the online viewer)? And lastly I would like to use this results to get the GUID, which I can use to get the payload for the events, how do I accomplish that?

Thanks

0 Karma
1 Solution

Explorer

I realized that this is simply an issue with my query string pulling date/time data from JavaScript, and thus isn't accounted for when I copy paste the string. This leads to it getting all possible results it can.

View solution in original post

0 Karma

Explorer

I realized that this is simply an issue with my query string pulling date/time data from JavaScript, and thus isn't accounted for when I copy paste the string. This leads to it getting all possible results it can.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!