Getting Data In

Using python to query splunk and get SID - error 404

nisheethbaxi
Loves-to-Learn

I have this query (below):

1) When I run this query in Splunk web, I get back SID and get data using SID.

2) When I use curl command, I get back SID and get data using SID.

3) But when I use Python, I get SID in the response with status code 201.

#read this query from file

 

with open("aquery2.txt", "r") as f:
aQuery = f.read()

##derive earliest and latest 
finalAQuery=("search" + " " +("earliest=" + "1711982700.001" + "=" + ("latest=" + 1711983600.0 + " " + aQuery)

 


url = "https://abc.splunkcloud.com:8089/servicesAB/-/xyz/search/jobs"
def getSid():
try:

 

response = requests.post(url, headers={'Authorization': TOKEN}, data={'search': finalAQuery}, verify=False)

 


I get back the SID. But when I use the SID to get the results, I get error 404, <Response [404]>
{"messages":[{"type":"FATAL","text":"Unknown endpoint."}]}

def getMetric():
try:

 

getData=(url + '/' + sid + '/results')
getSidResponse = requests.get(getData, headers={'Authorization': TOKEN}, data={'output_mode' : 'json'}, verify=False)

 

#aquery.txt contents below.

 

index=apigee sourcetype="apigee:Prod_access_logs" | rex field=proxyUri "(?P<proxyUri>(([a-zA-Z]+)\d)(?:\d\/[a-zA-Z]+|\/[a-zA-Z]+)+)" | convert num("requestTimeinSec") |rex field=_raw "(?<timeStamp>\d{4}\-\d{1,2}\-\d{1,2}T\d{1,2}\:\d{1,2}\:\d{1,2}\-\d{1,2}\:\d{1,2})\s+(?<hostValue>\w+)\s+\S+\s+\S+\s+(?<requestTimeinSec>\S+)\s+\-\s+-\s+(?P<httpStatusCode>\w+)\s+(?<upstreamHttpStatusCode>\w+)\s+\w+\s+\w+\s+(?<methodName>\w+)\s+(?<proxyUri>\S+)\s+(?<httpVersion>\S+)\s+(?<messageId>\S+)" |rex field=_raw "^([^\t]+\t){35}(?P<ClientId>[^\t]+)" | eval totalResponseTime=round(requestTimeinSec*1000) | replace "z1/credit/bank/info/usa" with "x1/credit/bank/info/canada" in proxyUri | replace "v1/taste" with "/connecticut/taste/v1/newyork" in proxyUri | rangemap field="httpStatusCode" "httpStatusCode"=0-499 | rename range as RangeSuccesshttpStatusCode | eval Product=case(like(ClientId, "JERSEY"), "aaa", like(ClientId, "APPLE"), "bbb", like(ClientId, "HELLO"), "ccc") | eval ATier=case((like(proxyUri,"/paypal/jersey/v1/newyork") AND like(methodName,"POST") AND IN (Product, "aaa", "bbb", "ccc")) , "Tier1", (like(proxyUri,"v1/credit/bank/info/canada") AND like(methodName,"GET") AND IN (Product, "aaa", "bbb", "ccc")) OR (like(proxyUri,"v1/credit/accounts/profile") AND like(methodName,"GET") AND IN (Product, "Venmo", "Cobrand", "PPC")), "Tier2",(like(proxyUri,"v1/alerts/preferences") AND like(methodName,"GET") AND IN (Product, "Venmo", "Cobrand", "PPC")), "Tier3",1==1,"NA") | stats count(totalResponseTime) as TotalTrans, count(eval(RangeSuccesshttpStatusCode="httpStatusCode")) as TotalSuccesTran, count(eval(httpStatusCode<500)) as GoodEvents, by ATier Product proxyUri methodName | where ((Product IN ("aaa", "bbb", "ccc")) AND (ATier IN ("Tier1", "Tier2","Tier3"))) |rename methodName AS Method | fields ATier proxyUri Method TotalTrans GoodEvents

 

Labels (1)
0 Karma

marnall
Motivator

What happens if you use the v2 jobs endpoint? (the non-v2 one is deprecated, as per https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTsearch)

Instead of:

url = "https://abc.splunkcloud.com:8089/servicesAB/-/xyz/search/jobs"

Try:

url = "https://abc.splunkcloud.com:8089/servicesAB/-/xyz/search/v2/jobs"

 

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...