I am trying to fetch all saved searches created by me with the Python SDK using the below code.
import splunklib.client as client
service = client.connect(host='xyz',
username='xyz',
password='xyz',
owner='xyz',
app='search')
savedsearches = service.saved_searches
for savedsearch in savedsearches:
print savedsearch.name
The code returned a list of saved searches were not created by me, nor are they able to be found with in the GUI.
Any thoughts as to why this would return the names of saved searches that don't seem to exist?
In the docs there is a class called splunklib.client.Collection(service, path, item=)
Should I be using this instead?
If you are seeing saved searches that don't exist... you most definitely have more than one instance of Splunk running.
You want to check here http://docs.splunk.com/DocumentationStatic/PythonSDK/1.3.0/binding.html#splunklib.binding.Context
because there are more options you can specify for client.connect()
the default management port setting is 8089, so if you haven't specified the port... that's what is being passed and that is not the management port for the instance you're trying to query.
I tested this, by implementing your script as is and filling in the 'xyz' as it pertains to my instance... and I got "unexpected" results too as I was seeing global saved searches that came from another instance (that I didn't even realize was running). So I tested further by changing the app= to an app I knew existed in the instance I was expecting to query and got "folder not found".
I changed the port to the alt management port I was using and I was now pointing at the proper instance.
Your code is fine. It's just not looking at the search head you think it should be...
If you are seeing saved searches that don't exist... you most definitely have more than one instance of Splunk running.
You want to check here http://docs.splunk.com/DocumentationStatic/PythonSDK/1.3.0/binding.html#splunklib.binding.Context
because there are more options you can specify for client.connect()
the default management port setting is 8089, so if you haven't specified the port... that's what is being passed and that is not the management port for the instance you're trying to query.
I tested this, by implementing your script as is and filling in the 'xyz' as it pertains to my instance... and I got "unexpected" results too as I was seeing global saved searches that came from another instance (that I didn't even realize was running). So I tested further by changing the app= to an app I knew existed in the instance I was expecting to query and got "folder not found".
I changed the port to the alt management port I was using and I was now pointing at the proper instance.
Your code is fine. It's just not looking at the search head you think it should be...