Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to return job errors when searching via API?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to return job errors when searching via API?
nhaynie_tmo
Engager
08-22-2017
03:59 PM
When I call the Splunk API via Python SDK, I get results fine. However, when I run the same query via the UI, I sometimes have errors show up in the job inspector. Sometimes that error might suggest I may have partial results due to issues with an indexer. I would like to be able to get search results AND any errors that might be related to that job just as I do via the UI when querying the API. Does anyone know if this is possible and have any suggestions on how to retrieve them? Without returning errors, we may not be able to 'trust' the results if there were errors with the job we are not aware of.
Here is the code I am using to pull results:
def run_export(splunk_host, splunk_port, splunk_username, splunk_password, query, job_name, earliest_time, latest_time, directory, chunk):
# Initialize service
service = client.connect(host=splunk_host, port=splunk_port, username=splunk_username, password=splunk_password)
kwargs_params = {"exec_mode": "normal",
"earliest_time":earliest_time,
"latest_time":latest_time,
"count":0}
job = service.jobs.create(query, **kwargs_params)
# A normal search returns the job's SID right away, so we need to poll for completion
while True:
while not job.is_ready():
pass
stats = {"isDone": job["isDone"],
"doneProgress": float(job["doneProgress"])*100,
"scanCount": int(job["scanCount"]),
"eventCount": int(job["eventCount"]),
"resultCount": int(job["resultCount"])}
status = ("\r%(doneProgress)03.1f%% %(scanCount)d scanned "
"%(eventCount)d matched %(resultCount)d results") % stats
sys.stdout.write(status + "\n")
sys.stdout.flush()
if stats["isDone"] == "1":
sys.stdout.write("\n\nDone!\n\n")
break
sleep(2)
# Get the results and display them
i=0
for result in results.ResultsReader(job.results(count=0)):
i=i+1
print json.dumps(result)
f = open(directory + '/' + job_name + '/' + chunk + '_' + str(i) + '_' + job_name + '.json','w')
f.write(json.dumps(result))
job.cancel()
sys.stdout.write('\n')
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pmeyerson
Path Finder
04-22-2018
07:35 PM
I think you are asking for this:
see: search/jobs/{search_id}/search.log
Get Updates on the Splunk Community!
Splunk Enterprise Security: Your Command Center for PCI DSS Compliance
Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...
Developer Spotlight with Guilhem Marchand
From Splunk Engineer to Founder: The Journey Behind TrackMe
After spending over 12 years working full time ...
Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...
The Problem: When Networks and Services Don't Talk
Payment systems fail at a retail location. Customers are ...
