Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Possible Splunk SDK bug
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This could be a mistake in setting a flag from my side, or a possible bug in the Splunk SDK. Before I spend more time to debug the Splunk python SDK, I want to get pointers/advice.
I followed this post http://dev.splunk.com/view/python-sdk/SP-CAAAEE5 to run a search job using the Splunk SDK. As far as I can tell, the search job was created with a good job id and finished properly. The https://my_host8089/servicesNS/nobody/search/search/jobs/{job_id}/ page shows two events in XML format as expected.
But the Splunk SDK returns empty result. The debugger shows that the job.results() only gets the first line of the XML file shown above. So it can't extract any event from the results.
Seems like I need to debug the Splunk SDK code now. Any better suggestions please?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, answering my question again!
This is caused by a delay through the REST API. I used
| makeresults .....
to simulate events. Right after that, if I run
| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"
from the Splunk Web, I can get the results right away. But running it using the Splunk python SDK won't get anything. It takes up to 5-10 minutes before the Splunk python SDK shows results.
So might not be a big problem for the real cases.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, answering my question again!
This is caused by a delay through the REST API. I used
| makeresults .....
to simulate events. Right after that, if I run
| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"
from the Splunk Web, I can get the results right away. But running it using the Splunk python SDK won't get anything. It takes up to 5-10 minutes before the Splunk python SDK shows results.
So might not be a big problem for the real cases.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to be more specific here.
Running a search job using the SDK works most of the time. But this is the one causing trouble found so far. A search:
| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"
This is a saved search from ESCU.
Running this from Splunk Web, it shows two events as expected. Running this using the Splunk python SDK, I can see that a search job was created and finished successfully. Using the search id associated with the job, I can check that https://my_host:8089/servicesNS/nobody/search/search/jobs/{job_id}/results shows two events in XML format.
But the python SDK only returns an empty list. According to the debugger, job.results() only gets the first line of the XML file.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
