Splunk Search

How do I get data from Splunk REST API using python? Receiving error

ssharm223
Loves-to-Learn

Hi, so my team is currently has some data on Splunk cloud.  My task is to use your REST API to get this data using python.

On Splunk web I get this data by using the following query:

 

| from inputlookup:"cloud_accountList"

 

 I have written a simple python script to get the data:

 

splunkTenant = 'avc3'
splunkURL = {
    'api': f"https://ab1.{splunkTenant}.splunkcloud.com:1234",
}
splunkCredentials = {
    'user': 'test_user',
    'password': 'SplunkIsGreat'
}
searchString = f"| from inputlookup:\"cloud_accountList\""

search = {
    'search': searchString,
    'output_mode': 'json'
}

splunkEndpoints = {
    'returnedAppSearch': f"{splunkURL['api']}/servicesNS/{splunkCredentials['user'].upper()}",
}

cacertpath = '/Users/***/Downloads/cacert.pem'

searchURL2 = f"{splunkEndpoints['returnedAppSearch']}/APP_NAME/search/jobs"

splunk_response = requests.post(
    url=searchURL,
    auth=(str(splunkCredentials['user']), str(splunkCredentials['password'])),
    verify=cacertpath
    data=search)

 

 

When I run this script I get an error.  Can someone please help me out? 

 

Regards

Labels (1)
Tags (1)
0 Karma

AGLbwa
Path Finder

@ssharm223 One thing that may be worth trying is adding the app to your connection parameters. I get a different error when I do this and it may simply be that my permissions aren't set up correctly.

0 Karma

AGLbwa
Path Finder

@ssharm223 did you ever get an answer to this? Guessing no? I'm having the same issue with accessing a csv lookup that I can access via the web UI, however attempting to access it via API gets me:

Non-result: ERROR The lookup table 'asset_lookup-by_str' requires a .csv or KV store lookup definition..

However changing the search to "|inputlookup asset_lookup-by_str.csv" still gets me:

 Non-result: ERROR The lookup table 'asset_lookup-by_str.csv' requires a .csv or KV store lookup definition..

I suspect there is some combination of non-filesystem access and non-default csv locations that means we are SOL, but happy to be proven wrong by the brains trust!

0 Karma

AGLbwa
Path Finder

This was me with a typo - see that dash? It should be an underscore (and the lookup was kvstore, not csv)!

0 Karma

AGLbwa
Path Finder

Just as a follow up with csv I definitely get an error. I get the error:

Non-result: ERROR The lookup table 'not_really_my_lookup_name.csv' requires a .csv or KV store lookup definition..

Without .csv I get the same error but *also*:

Non-result: ERROR The lookup table 'not_really_my_lookup_name' is invalid..

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What error do you get?

0 Karma

ssharm223
Loves-to-Learn
'ERROR', 'text': "The lookup table 'cloud_accountList' requires a .csv or KV store lookup definition

 

This is the error I am getting

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Looks like you need to set up a definition for the lookup

ITWhisperer_0-1652452352271.png

 

0 Karma

ssharm223
Loves-to-Learn

Thanks ITWhisperer.  Can you list the exact steps we have to follow?  I am very new to this.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
0 Karma

ssharm223
Loves-to-Learn

Went over this with an admin.  Looks like the lookup is already defined.  Is there anything else I can try?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...