Splunk Search

How do I get data from Splunk REST API using python? Receiving error

ssharm223
Loves-to-Learn

Hi, so my team is currently has some data on Splunk cloud.  My task is to use your REST API to get this data using python.

On Splunk web I get this data by using the following query:

 

| from inputlookup:"cloud_accountList"

 

 I have written a simple python script to get the data:

 

splunkTenant = 'avc3'
splunkURL = {
    'api': f"https://ab1.{splunkTenant}.splunkcloud.com:1234",
}
splunkCredentials = {
    'user': 'test_user',
    'password': 'SplunkIsGreat'
}
searchString = f"| from inputlookup:\"cloud_accountList\""

search = {
    'search': searchString,
    'output_mode': 'json'
}

splunkEndpoints = {
    'returnedAppSearch': f"{splunkURL['api']}/servicesNS/{splunkCredentials['user'].upper()}",
}

cacertpath = '/Users/***/Downloads/cacert.pem'

searchURL2 = f"{splunkEndpoints['returnedAppSearch']}/APP_NAME/search/jobs"

splunk_response = requests.post(
    url=searchURL,
    auth=(str(splunkCredentials['user']), str(splunkCredentials['password'])),
    verify=cacertpath
    data=search)

 

 

When I run this script I get an error.  Can someone please help me out? 

 

Regards

Labels (1)
Tags (1)
0 Karma

AGLbwa
Path Finder

@ssharm223 One thing that may be worth trying is adding the app to your connection parameters. I get a different error when I do this and it may simply be that my permissions aren't set up correctly.

0 Karma

AGLbwa
Path Finder

@ssharm223 did you ever get an answer to this? Guessing no? I'm having the same issue with accessing a csv lookup that I can access via the web UI, however attempting to access it via API gets me:

Non-result: ERROR The lookup table 'asset_lookup-by_str' requires a .csv or KV store lookup definition..

However changing the search to "|inputlookup asset_lookup-by_str.csv" still gets me:

 Non-result: ERROR The lookup table 'asset_lookup-by_str.csv' requires a .csv or KV store lookup definition..

I suspect there is some combination of non-filesystem access and non-default csv locations that means we are SOL, but happy to be proven wrong by the brains trust!

0 Karma

AGLbwa
Path Finder

This was me with a typo - see that dash? It should be an underscore (and the lookup was kvstore, not csv)!

0 Karma

AGLbwa
Path Finder

Just as a follow up with csv I definitely get an error. I get the error:

Non-result: ERROR The lookup table 'not_really_my_lookup_name.csv' requires a .csv or KV store lookup definition..

Without .csv I get the same error but *also*:

Non-result: ERROR The lookup table 'not_really_my_lookup_name' is invalid..

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What error do you get?

0 Karma

ssharm223
Loves-to-Learn
'ERROR', 'text': "The lookup table 'cloud_accountList' requires a .csv or KV store lookup definition

 

This is the error I am getting

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Looks like you need to set up a definition for the lookup

ITWhisperer_0-1652452352271.png

 

0 Karma

ssharm223
Loves-to-Learn

Thanks ITWhisperer.  Can you list the exact steps we have to follow?  I am very new to this.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
0 Karma

ssharm223
Loves-to-Learn

Went over this with an admin.  Looks like the lookup is already defined.  Is there anything else I can try?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...