Developing for Splunk Enterprise

Why are our Splunk Python SDK search results empty?

Explorer

Hi,

I'm new to Splunk and don't really know it well so I apologize in advance if this seems like a silly question. I'm using Splunk Python SDK to get the results of a search that should ideally be having plenty of results no matter what the time frame and I used to get results for a while until recently it started to return a string of size 0 bytes. I believe the jobs are getting created and the search goes through, but I still don't get results.

Can someone help me figure out where to look for answers, perhaps?

This is the code snippet:

service = client.connect(
            host=HOST,
            port=PORT,
            username=USERNAME,
            password=PASSWORD)

        # Get the collection of search jobs
        jobs = service.jobs

        # Create a search job
        job = jobs.create(QUERY)

        # Wait for job to be ready
        while not job.is_ready():
            sleeper(.2, "Job not ready")

        # Get the results and return them
        rr = job.results(**PARAMS)

        result = rr.read(None).decode('utf-8')

 

Labels (3)
0 Karma
1 Solution

Explorer

Hi,
Update on the error: It turns out that the sdk sets is_ready flag just before it can send the results for some reason. If you wait for a couple of seconds before retrieving the job results, you'll get the data fine. Not sure why this happens though.
Thanks for helping out, @harsmarvania57

View solution in original post

0 Karma

Explorer

Hi,
Update on the error: It turns out that the sdk sets is_ready flag just before it can send the results for some reason. If you wait for a couple of seconds before retrieving the job results, you'll get the data fine. Not sure why this happens though.
Thanks for helping out, @harsmarvania57

View solution in original post

0 Karma

New Member

Hi,
How did you fix this issue? I tried adding delays after the query is completed and before retrieving the results but it still doesn't work for me. Is there anything else I can try? Thanks so much, @nprasad99

0 Karma

SplunkTrust
SplunkTrust

Hi @nprasad99,

I have tested below python script with Splunk Python SDK and it is working fine. Have you tried to search that query directly in splunk web which you are using in python script and are you getting any result ? Additionally I am not sure which parameter are you fetching from job results rr = job.results(**PARAMS), there might be possibility that those parameters are not available in job results.

import sys
import time
sys.path.append('splunk-sdk-python-1.6.4')
import splunklib.client as client

splunkUser = raw_input("Enter Ur Splunk Username: ")
splunkPassword = raw_input("Enter Ur Splunk Password: ")

splunkService = client.connect(host=HOST, port=8089, username=splunkUser, password=splunkPassword, verify=0)
jobs = splunkService.jobs
job = jobs.create("search index=_internal earliest=-15m latest=now | stats count by host")
while not job.is_ready():
    print("Job not ready")
    time.sleep(5)
rr = job.results()
result = rr.read(None).decode('utf-8')
print result
0 Karma

Explorer

Hi, Thanks for the answer! I did try searching that query using the UI and the queries work fine and fetch many records in a very short time. The query is correct because I had run the same script previously and retrieved results. Also, I believe the job is actually working because the job.isready function becomes true and the script continues execution. I'll provide the params below:
`PARAMS = {"output
mode":"json",
"count":"10",
}`

0 Karma