Splunk Dev

Using the Python SDK, why is job.name returning an SID instead of a name?

metersk
Path Finder
import splunklib.client as client

service = client.connect(host='xyz',
                         username='xyz',
                         port="8089",
                         password='xyz',
                         owner='xyz',
                         app='search')

savedsearches = service.saved_searches
jobs = service.jobs

print jobs

for x in jobs:
    print x.name + " | " + x.sid

Running the above code gives me an output of 1429721446.123816 | 1429721446.123816

I know that this is the correct SID, but I also know that this saved search has a name of KPI - Messaging (UK WARPU 1). According to the docs, they should not be returning the same thing.

Am I missing something fundamental to fetch the name of a saved search?


Update:

So I did a hacky var dump on the job object and it does not have a name property. So two questions from this: if there is no name property, why is SID replacing it? and - Why is there no name property?

0 Karma
1 Solution

KenWhitesell
Path Finder

To answer your last question first, if you look at client.py within the sdk, you'll see that "name" is implemented as a property and not as a variable. In the standard entity object, it returns the value of the state.title variable, but that method is overridden in the Job object to return sid. (That's why they're the same value.)

If you do a dir(job), you'll see the entry for "name" present, but since it's a property and not a variable, dumping the variables won't show a value for it. If you look at the object dictionary for the job (job.dict.keys()), you'll see that it only defines four variables, path, _state, service, and sid.

You might want to look at what's available through the job.state object to see if that gives you more of the information that you're looking for.

View solution in original post

KenWhitesell
Path Finder

To answer your last question first, if you look at client.py within the sdk, you'll see that "name" is implemented as a property and not as a variable. In the standard entity object, it returns the value of the state.title variable, but that method is overridden in the Job object to return sid. (That's why they're the same value.)

If you do a dir(job), you'll see the entry for "name" present, but since it's a property and not a variable, dumping the variables won't show a value for it. If you look at the object dictionary for the job (job.dict.keys()), you'll see that it only defines four variables, path, _state, service, and sid.

You might want to look at what's available through the job.state object to see if that gives you more of the information that you're looking for.

KenWhitesell
Path Finder

(Oops, markdown mangled part of my answer. The reference to jobs.dict.keys() should actually be: jobs.<double underscore>dict<double underscore>.keys()

0 Karma

metersk
Path Finder

Hi Ken, thanks for the reply. Essentially I am looking for a way to access the data of my saved searches every morning. Unfortunately, SID is not descriptive enough to tell me what the search actually contains. Do you have any thoughts on the best way to access saved searches?

0 Karma

KenWhitesell
Path Finder

I'm not sure I understand what you're trying to retrieve here.

When a search is run (saved or otherwise), the job keeps the results for the configured period of time.
see: http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Aboutjobsandjobmanagement
and: http://docs.splunk.com/Splexicon:Job

You can retrieve those results using the job object using the SID, until the job expires. Once the job has expired, you'd have to re-run the search.

So your other option would be to run the search itself by the script, and retrieve the results. In that case, you can run the search by its name.

(Logically, it doesn't make sense to me to try and identify a job that has already been run just by name, since that particular search could have been run multiple times, generating different results each time.)

0 Karma

metersk
Path Finder

Here is my scenario:

I have 20 different saved searches that run on a cron schedule every morning at 6am. I want to retrieve the data from those searches, but the SID is not descriptive enough to tell which search search contains what data. If I were able to retrieve the SID and the name that I used when I created the Saved search, I would be able to parse and manipulate the data appropriately, because I would know what I was dealing with ahead of time. Unfortunately, all I can retrieve is the SID which does not tell me what the search is, as the name of the saved search would.

0 Karma

KenWhitesell
Path Finder

Ok, I think I understand now.

Go ahead and look at the ".state.title" string for the job object and see if that provides the detail you need.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...