I've troubleshot this for awhile, must not be comprehending this correctly. Basically I'm trying to use the | savedsearch command to execute a saved search. Straight forward, right? The hitch is that I'm trying to do it via the API using the SDK, but when I've tried it cannot find the search by name I specify; I can copy/paste direct into Splunk and it works, so I'm good there.
Basically anyone who is able to use the Splunk SDK to execute an arbitrary SPL query, but within the context of a specific app, could likely help me; but it's appreciated regardless! Here is some basic code to describe what I'm doing:
config = {"searches":["search index=firewall | ... | outputlookup mylookup","..."]}
service = client.connect(host="foo",username="user",password="pass",app="my_app_name")
jobs = service.jobs
for search in config["searches"]:
myargs = {"exec_mode":"normal"}
job = jobs.create(search,**myargs)
while True:
while not job.is_ready(): pass
if job["isDone"] == "1": break
sleep(2)
That is the most relevant piece of the code. I'm not looking to bring the results back, which is why you don't see that. I'm more interested in executing a search that is used to populate some lookups, and use lookups, which is why I need to figure out why the app context is not working for me. Perhaps I'm just doing it wrong!
I can run saved searches in a specific context without any problem using the SDK.
I use the following code:
instance = client.connect(host="localhost", username="user", password="pass", app="my_app")
job = instance.jobs.create("| savedsearch Rule1")
Where Rule1 is saved search with my_app permissions.
If your saved search has private permissions, you will have to add owner="search_owner" to the parameters!
You can try add the following at the beginning of the script, that will print SDK debug logs in the console and could be helpful!
import logging
logging.basicConfig(level=logging.DEBUG)
This has puzzled me too. Turned out, default connect parameters don't give you access to objects that are set to "private" by other users. To get that, you need to explicitly specify it with wildcard, which is "-". Put that in your ~/.splunkrc or manually set in connect() method.
# Splunk host (default: localhost)
host=HOSTNAMEHERE
# Splunk admin port (default: 8089)
port=8089
# Splunk username
username=USERNAMEHERE
# Splunk password
password=PASSHERE
# Access scheme (default: https)
scheme=https
# Your version of Splunk (default: 5.0)
version=6.6.4
#app context
app=-
#owner wildcard
owner=-
After that, you should be able to see all objects. For example this should return all searches (global, app, user) from all apps:
def main():
opts = parse(sys.argv[1:], {}, ".splunkrc")
service = client.connect(**opts.kwargs)
savedsearches = service.saved_searches
for s in savedsearches:
print s.name, s.access["owner"], s.access["sharing"]
I hope it helps!
I can run saved searches in a specific context without any problem using the SDK.
I use the following code:
instance = client.connect(host="localhost", username="user", password="pass", app="my_app")
job = instance.jobs.create("| savedsearch Rule1")
Where Rule1 is saved search with my_app permissions.
If your saved search has private permissions, you will have to add owner="search_owner" to the parameters!
You can try add the following at the beginning of the script, that will print SDK debug logs in the console and could be helpful!
import logging
logging.basicConfig(level=logging.DEBUG)
Here is a link to the Python SDK Saved Search examples
In short try iterating over the saved searches in your app context like :
savedsearches = service.saved_searches
for savedsearch in savedsearches:
print " " + savedsearch.name
print " Query: " + savedsearch["search"]
Thank you for your idea!
Instead of using | savedsearch
command, try using SavedSearch object, like specified here:
I've considered that, but I didn't see anything about token usage like in the | savedsearch
command.