Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: How do I compare different values for fields r...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have just started playing around with the python REST API for a project i have in mind. Please forgive me as this is my first real attempt at scripting/programming anything really. I'm using Python to query Splunk.
Anyway based on the examples i found on the website, this is a part of the code:
request = urllib2.Request(base_url + '/servicesNS/%s/search/search/jobs/export' % (username),
data = urllib.urlencode({'search': search_query,'output_mode': 'csv'}),
headers = { 'Authorization': ('Splunk %s' %session_key)})
search_results = urllib2.urlopen(request)
returned_data = search_results.read()
Here is an example output (i have on purpose only selected two fields and 3 events for each)
"_time",Service
"2015-06-10 18:09:08.000 BST","dnsmasq-dhcp[472]"
"2015-06-10 18:09:08.000 BST","dnsmasq-dhcp[472]"
"2015-06-10 17:48:04.000 BST","dnsmasq-dhcp[472]"
When printing the value of returned_data, i can see all the information i expect. However, the variable has a type of string so i need to convert it to something, but not sure what. The end aim is to be able to compare the different values in the fields. Would i need to convert the above output to a dictionary or a list ? Also, should i maybe be trying to export the results from splunk in a different format than csv?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is alot easier using the Splunk Python SDK
Example code doing mock String compare against the _raw field from the export search results :
import splunklib.results as results
import splunklib.client as client
def compare(val_a, val_b):
return val_a == val_b
if __name__ == '__main__':
service = client.connect(host='localhost',port=8089,username='admin',password='abc')
kwargs_export = {"earliest_time": "-1h",
"latest_time": "now",
"search_mode": "normal"}
searchquery_export = "search index=_internal"
exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export)
reader = results.ResultsReader(exportsearch_results)
foo_field = 'foo'
for result in reader:
if isinstance(result, dict):
raw_field = result['_raw']
print compare(raw_field,foo_field)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is alot easier using the Splunk Python SDK
Example code doing mock String compare against the _raw field from the export search results :
import splunklib.results as results
import splunklib.client as client
def compare(val_a, val_b):
return val_a == val_b
if __name__ == '__main__':
service = client.connect(host='localhost',port=8089,username='admin',password='abc')
kwargs_export = {"earliest_time": "-1h",
"latest_time": "now",
"search_mode": "normal"}
searchquery_export = "search index=_internal"
exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export)
reader = results.ResultsReader(exportsearch_results)
foo_field = 'foo'
for result in reader:
if isinstance(result, dict):
raw_field = result['_raw']
print compare(raw_field,foo_field)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
