Re: real-time search using python SDK export comma...

esharf · ‎05-06-2021

so here is my code:

import splunklib.client as client
import splunklib.results as results

client.connect(**connection_args)
job_kwargs = {"search_mode": "realtime", "earliest_time": "rt", "latest_time": "rt"}
for item in service.jobs.export(query=my_query, **job_kwargs):
    if isinstance(item, results.Message):
        print(item.message)
    else:
        print(item)

when I'm trying to run this code with a general query

query="search index=main"

It’s working properly.
but if I’m trying with

query="search `notable` | eval rule_name=if(isnull(rule_name),source,rule_name) | eval rule_title=if(isnull(rule_title),rule_name,rule_title) | `get_urgency` | `risk_correlation` | eval rule_description=if(isnull(rule_description),source,rule_description) | eval security_domain=if(isnull(security_domain),source,security_domain)"

I get a lot of events that I cannot see in the regular search.
also, I get almost every multiple times with a little change (such as dest_ip=8.8.8.8 anddest_ip=8.8.8.9) and a part of them are even identical.

note when I’m trying to test it I found that I have on average 9 events in 5 min but when I’m using the real-time search I get almost 130 on average.

srijondas · ‎05-17-2021

I am facing a similar problem.

real-time search using python SDK export command

other

python

rest API

SDK

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!