How do I get data from Splunk REST API using pytho...

ssharm223 · ‎05-12-2022

Hi, so my team is currently has some data on Splunk cloud. My task is to use your REST API to get this data using python.

On Splunk web I get this data by using the following query:

| from inputlookup:"cloud_accountList"

I have written a simple python script to get the data:

splunkTenant = 'avc3'
splunkURL = {
    'api': f"https://ab1.{splunkTenant}.splunkcloud.com:1234",
}
splunkCredentials = {
    'user': 'test_user',
    'password': 'SplunkIsGreat'
}
searchString = f"| from inputlookup:\"cloud_accountList\""

search = {
    'search': searchString,
    'output_mode': 'json'
}

splunkEndpoints = {
    'returnedAppSearch': f"{splunkURL['api']}/servicesNS/{splunkCredentials['user'].upper()}",
}

cacertpath = '/Users/***/Downloads/cacert.pem'

searchURL2 = f"{splunkEndpoints['returnedAppSearch']}/APP_NAME/search/jobs"

splunk_response = requests.post(
    url=searchURL,
    auth=(str(splunkCredentials['user']), str(splunkCredentials['password'])),
    verify=cacertpath
    data=search)

When I run this script I get an error. Can someone please help me out?

Regards

AGLbwa · ‎08-29-2023

@ssharm223 One thing that may be worth trying is adding the app to your connection parameters. I get a different error when I do this and it may simply be that my permissions aren't set up correctly.

AGLbwa · ‎08-29-2023

@ssharm223 did you ever get an answer to this? Guessing no? I'm having the same issue with accessing a csv lookup that I can access via the web UI, however attempting to access it via API gets me:

Non-result: ERROR The lookup table 'asset_lookup-by_str' requires a .csv or KV store lookup definition..

However changing the search to "|inputlookup asset_lookup-by_str.csv" still gets me:

 Non-result: ERROR The lookup table 'asset_lookup-by_str.csv' requires a .csv or KV store lookup definition..

I suspect there is some combination of non-filesystem access and non-default csv locations that means we are SOL, but happy to be proven wrong by the brains trust!

AGLbwa · ‎08-29-2023

This was me with a typo - see that dash? It should be an underscore (and the lookup was kvstore, not csv)!

AGLbwa · ‎09-05-2023

Just as a follow up with csv I definitely get an error. I get the error:

Non-result: ERROR The lookup table 'not_really_my_lookup_name.csv' requires a .csv or KV store lookup definition..

Without .csv I get the same error but *also*:

Non-result: ERROR The lookup table 'not_really_my_lookup_name' is invalid..

ITWhisperer · ‎05-13-2022

What error do you get?

ssharm223 · ‎05-13-2022

'ERROR', 'text': "The lookup table 'cloud_accountList' requires a .csv or KV store lookup definition

This is the error I am getting

ITWhisperer · ‎05-13-2022

Looks like you need to set up a definition for the lookup

ssharm223 · ‎05-13-2022

Thanks ITWhisperer. Can you list the exact steps we have to follow? I am very new to this.

ITWhisperer · ‎05-13-2022

Define a CSV lookup in Splunk Web - Splunk Documentation

ssharm223 · ‎05-16-2022

Went over this with an admin. Looks like the lookup is already defined. Is there anything else I can try?

How do I get data from Splunk REST API using python? Receiving error

Other

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting