Re: Using python to query splunk and get SID - err...

nisheethbaxi · ‎04-01-2024

I have this query (below):

1) When I run this query in Splunk web, I get back SID and get data using SID.

2) When I use curl command, I get back SID and get data using SID.

3) But when I use Python, I get SID in the response with status code 201.

#read this query from file

with open("aquery2.txt", "r") as f:
aQuery = f.read()

##derive earliest and latest 
finalAQuery=("search" + " " +("earliest=" + "1711982700.001" + "=" + ("latest=" + 1711983600.0 + " " + aQuery)

url = "https://abc.splunkcloud.com:8089/servicesAB/-/xyz/search/jobs"
def getSid():
try:

response = requests.post(url, headers={'Authorization': TOKEN}, data={'search': finalAQuery}, verify=False)

I get back the SID. But when I use the SID to get the results, I get error 404, <Response [404]>
{"messages":[{"type":"FATAL","text":"Unknown endpoint."}]}

def getMetric():
try:

getData=(url + '/' + sid + '/results')
getSidResponse = requests.get(getData, headers={'Authorization': TOKEN}, data={'output_mode' : 'json'}, verify=False)

#aquery.txt contents below.

index=apigee sourcetype="apigee:Prod_access_logs" | rex field=proxyUri "(?P<proxyUri>(([a-zA-Z]+)\d)(?:\d\/[a-zA-Z]+|\/[a-zA-Z]+)+)" | convert num("requestTimeinSec") |rex field=_raw "(?<timeStamp>\d{4}\-\d{1,2}\-\d{1,2}T\d{1,2}\:\d{1,2}\:\d{1,2}\-\d{1,2}\:\d{1,2})\s+(?<hostValue>\w+)\s+\S+\s+\S+\s+(?<requestTimeinSec>\S+)\s+\-\s+-\s+(?P<httpStatusCode>\w+)\s+(?<upstreamHttpStatusCode>\w+)\s+\w+\s+\w+\s+(?<methodName>\w+)\s+(?<proxyUri>\S+)\s+(?<httpVersion>\S+)\s+(?<messageId>\S+)" |rex field=_raw "^([^\t]+\t){35}(?P<ClientId>[^\t]+)" | eval totalResponseTime=round(requestTimeinSec*1000) | replace "z1/credit/bank/info/usa" with "x1/credit/bank/info/canada" in proxyUri | replace "v1/taste" with "/connecticut/taste/v1/newyork" in proxyUri | rangemap field="httpStatusCode" "httpStatusCode"=0-499 | rename range as RangeSuccesshttpStatusCode | eval Product=case(like(ClientId, "JERSEY"), "aaa", like(ClientId, "APPLE"), "bbb", like(ClientId, "HELLO"), "ccc") | eval ATier=case((like(proxyUri,"/paypal/jersey/v1/newyork") AND like(methodName,"POST") AND IN (Product, "aaa", "bbb", "ccc")) , "Tier1", (like(proxyUri,"v1/credit/bank/info/canada") AND like(methodName,"GET") AND IN (Product, "aaa", "bbb", "ccc")) OR (like(proxyUri,"v1/credit/accounts/profile") AND like(methodName,"GET") AND IN (Product, "Venmo", "Cobrand", "PPC")), "Tier2",(like(proxyUri,"v1/alerts/preferences") AND like(methodName,"GET") AND IN (Product, "Venmo", "Cobrand", "PPC")), "Tier3",1==1,"NA") | stats count(totalResponseTime) as TotalTrans, count(eval(RangeSuccesshttpStatusCode="httpStatusCode")) as TotalSuccesTran, count(eval(httpStatusCode<500)) as GoodEvents, by ATier Product proxyUri methodName | where ((Product IN ("aaa", "bbb", "ccc")) AND (ATier IN ("Tier1", "Tier2","Tier3"))) |rename methodName AS Method | fields ATier proxyUri Method TotalTrans GoodEvents

marnall · ‎04-11-2024

What happens if you use the v2 jobs endpoint? (the non-v2 one is deprecated, as per https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTsearch)

Instead of:

url = "https://abc.splunkcloud.com:8089/servicesAB/-/xyz/search/jobs"

Try:

url = "https://abc.splunkcloud.com:8089/servicesAB/-/xyz/search/v2/jobs"

Using python to query splunk and get SID - error 404

data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation