Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using the Python SDK, why does my code return a list of saved searches that don't exist instead of a list saved searches I created?

metersk
Path Finder
‎04-20-2015 12:03 PM

I am trying to fetch all saved searches created by me with the Python SDK using the below code.

import splunklib.client as client

service = client.connect(host='xyz',
                         username='xyz',
                         password='xyz',
                         owner='xyz',
                         app='search')

savedsearches = service.saved_searches

for savedsearch in savedsearches:
    print savedsearch.name

The code returned a list of saved searches were not created by me, nor are they able to be found with in the GUI.

Any thoughts as to why this would return the names of saved searches that don't seem to exist?

In the docs there is a class called splunklib.client.Collection(service, path, item=)

Should I be using this instead?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-20-2015 11:33 PM

If you are seeing saved searches that don't exist... you most definitely have more than one instance of Splunk running.
You want to check here http://docs.splunk.com/DocumentationStatic/PythonSDK/1.3.0/binding.html#splunklib.binding.Context
because there are more options you can specify for client.connect()
the default management port setting is 8089, so if you haven't specified the port... that's what is being passed and that is not the management port for the instance you're trying to query.

I tested this, by implementing your script as is and filling in the 'xyz' as it pertains to my instance... and I got "unexpected" results too as I was seeing global saved searches that came from another instance (that I didn't even realize was running). So I tested further by changing the app= to an app I knew existed in the instance I was expecting to query and got "folder not found".

I changed the port to the alt management port I was using and I was now pointing at the proper instance.

Your code is fine. It's just not looking at the search head you think it should be...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Reply
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-20-2015 11:33 PM

If you are seeing saved searches that don't exist... you most definitely have more than one instance of Splunk running.
You want to check here http://docs.splunk.com/DocumentationStatic/PythonSDK/1.3.0/binding.html#splunklib.binding.Context
because there are more options you can specify for client.connect()
the default management port setting is 8089, so if you haven't specified the port... that's what is being passed and that is not the management port for the instance you're trying to query.

I tested this, by implementing your script as is and filling in the 'xyz' as it pertains to my instance... and I got "unexpected" results too as I was seeing global saved searches that came from another instance (that I didn't even realize was running). So I tested further by changing the app= to an app I knew existed in the instance I was expecting to query and got "folder not found".

I changed the port to the alt management port I was using and I was now pointing at the proper instance.

Your code is fine. It's just not looking at the search head you think it should be...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...