Splunk Dev

How to search lookup files with Python SDK (and I would like to look up the endpoint by postman.)

newnew20241018
Loves-to-Learn Everything

Hi, 

 

I installed Python SDK in App.

I registered endpoint in the file restmap.conf .

I'd like to receive an answer in json format for the lookup file through search.

and I'd like to use this response data at another splunk app.

 

But, The following error message is returned...

'bad character (49) in reply size'

 

If I print a simple search without using a class SearchHandler(PersistentServerConnectionApplication), the result is good.

But, If I use endpoint, the following errors always occur.

 

 

newnew20241018_0-1745395103759.png

newnew20241018_1-1745395165240.png

 

Why is this error occurring?

 

this is my code.

  • my restmap.con code
[script:search-number]
match                 = /search-number
script                = search_handler.py
scripttype            = persist
handler               = search_handler.SearchHandler

 

  • my search_handler.py code
# import .env 
from config import search_env
env = search_env()
HOST = env['HOST']
PORT = env['PORT']
USERNAME = env['USERNAME']
PASSWORD = env['PASSWORD']

import json
import time
from splunk.persistconn.application import PersistentServerConnectionApplication
import splunklib.client as client
import splunklib.results as results
from splunklib.results import JSONResultsReader

class SearchHandler(PersistentServerConnectionApplication):
    def __init__(self, command_line, command_arg):
        super(SearchHandler, self).__init__()

    def handle(self, args):
        try:
            service = client.connect(
                host=HOST,
                port=PORT,
                username=USERNAME,
                password=PASSWORD,
            )

            search_query = '| inputlookup search-numbers.csv'
            jobs = service.jobs
            job = jobs.create(search_query)

            while not job.is_done():
                time.sleep(1)

            reader = JSONResultsReader(job.results(output_mode='json'))
            results_list = [item for item in reader if isinstance(item, dict)]

            print(results_list)
            return {
                'payload': results_list,
                'status': 200
            }

        except Exception as e:
            return {
                'payload': {'error': str(e)},
                'status': 500
            }

 

 

Is there an example code to search for csv files using 'endpoint'?

 

https://github.com/splunk/splunk-app-examples/tree/master/custom_endpoints/hello-world

this example is not using search.

 

I'm a front-end developer who doesn't know Python very well.....😭😭😭😭

 

 

Labels (3)
0 Karma

livehybrid
Super Champion

Hi @newnew20241018 

I think your print statement is going to corrupt the response fed back and will prevent valid JSON/XML being rendered. Try removing this and see if that resolves the issue.

            print(results_list)

 Note - Persistent endpoints are...persistent...so if you edit the file you might need to kill the persistent process if its still running before you get a clean rendering of the output again. 

If you're using linux then you can check with

ps -aux | grep persistent

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...