Reporting

Trouble using Export API for streaming data

phagunbaya
Explorer

I'm using export API for streaming the data. The use case is : I want to open a stream for a search query and want to push the data outside splunk. I'm hoping that export API will stream the live data as it gets indexed in splunk and will remain live. Is it the right way to approach ?

code snippet
kwargs_export = {
"earliest_time": "-15m",
"latest_time": "now",
"search_mode": "normal",
"output_mode" : "csv",
"auto_cancel" : 0,
"auto_finalize_ec" : 0,
"auto_pause" : 0
}
searchquery_export = "search " + self.search
exportsearch_results = self.request.service.jobs.export(searchquery_export, **kwargs_export)
reader = results.ResultsReader(exportsearch_results)

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The Python (I guess...) SDK's export API works for real-time searches, you need to specify appropriate values for earliest_time and latest_time such as rt-15m and rt.

http://dev.splunk.com/view/python-sdk/SP-CAAAEE5#exportsearch

0 Karma

phagunbaya
Explorer

I'm using following config but nothing was returned from export API.
kwargs_export = {
"earliest_time": "rt-15m",
"latest_time": "rt",
"search_mode": "normal",
"output_mode" : "csv",
"auto_cancel" : 0,
"auto_finalize_ec" : 0,
"auto_pause" : 0
}
searchquery_export = "search \"auto-0037.1\" | dedup val2 | table time,val1,val2"
exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export)
reader = results.ResultsReader(exportsearch_results)

reader is returned always empty

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm not sure if this will work, but you will at least have to turn your search into a real-time search if you want the search to "remain live". As it is now, you will search for data from the last fifteen minutes once and then be finished.

0 Karma

phagunbaya
Explorer

So, which api should I use for realtime search ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...