Hi, bit of background information. I have a splunk enterprise server and I'm working on writing a script to search stuff for data I want to pull from it. (Using python 3 with Splunk SDK (Splunklib.client, Splunklib.requests))
The way I am currently doing it is that we have an audit viewer which can be used to run a search, this viewer for example also shows the query string, so I am using the same query string when I use my script. The problem is say I run search on my audit viewer, I'll get two results back, but when I use the exact same string, I get like 12k lines of results back, which I'm not sure is relevant or not.
This is how I am running the search atm:
def start(): # Connect to splunk servers. login() # Get input of various search parameters. query = input("Enter query string, you can create it using the audit viewer: ") query = "search " + query # Get results and start getting them. f = open("output.txt", 'w') rr = results.ResultsReader(service.jobs.export(query)) for result in rr: if isinstance(result, results.Message): # Diagnostic messages may be returned in the results print(result.type, result.message) elif isinstance(result, dict): # Normal events are returned as dicts print(result, file = f) assert rr.is_preview == False f.close()
And my file prints out a ton of OrderedDicts of information that seems to me shouldn't be there.
So how do I make sure I only get the results which I perceive is the correct amount (the online viewer)? And lastly I would like to use this results to get the GUID, which I can use to get the payload for the events, how do I accomplish that?