Solved: Re: How to search for specific log messages from h...

Neiby · ‎07-08-2015

We often do a search for device configuration changes on Cisco devices in a specific IP range in a certain time frame. From the web UI, the search would look something like this:

sng_host_ip=10.20.30.0/24 AND "%MGBL-CONFIG-6-DB_COMMIT"

We take the resulting table and export it to csv for analysis.

I want to find a way to do this same search from Python. I used the examples to get basic searches working, but I don't know how to get this same information. I need to specify the IP range, the log message I'm looking for and the time range. Here is an example where I tried to get all the log entries in that IP range starting from yesterday:

metadata type=hosts | regex host="10\.20\.30\.\d{1,3}" | gentimes start=7/7/2015

That resulted in this error:

Error in 'gentimes' command: This command must be the first command of a search.

I think I'm completely on the wrong track. Any thoughts?

Thanks!

acharlieh · ‎07-08-2015

The web ui search of

sng_host_ip=10.20.30.0/24 AND "%MGBL-CONFIG-6-DB_COMMIT"

Under the covers is the search:

search sng_host_ip=10.20.30.0/24 AND "%MGBL-CONFIG-6-DB_COMMIT"

I'm not quite following why you wouldn't you be doing something along that line for invoking the search from the API?

To constrain the times that you'd run the search for you'd set the named parameters of earliest_time and latest_time when you create your search job. An example of this for the Python SDK in a oneshot search is here: http://dev.splunk.com/view/python-sdk/SP-CAAAEE5#oneshotjob but for other types of searches it'd be similar.

View solution in original post

acharlieh · ‎07-08-2015

The web ui search of

sng_host_ip=10.20.30.0/24 AND "%MGBL-CONFIG-6-DB_COMMIT"

Under the covers is the search:

search sng_host_ip=10.20.30.0/24 AND "%MGBL-CONFIG-6-DB_COMMIT"

I'm not quite following why you wouldn't you be doing something along that line for invoking the search from the API?

To constrain the times that you'd run the search for you'd set the named parameters of earliest_time and latest_time when you create your search job. An example of this for the Python SDK in a oneshot search is here: http://dev.splunk.com/view/python-sdk/SP-CAAAEE5#oneshotjob but for other types of searches it'd be similar.

acharlieh · ‎07-08-2015

Thanks for sending the 2 karma points, but they're yours (for doing the right thing and accepting an answer to your question)! You already gave me points by accepting the answer. If an answer, question, or comment is especially helpful, click the vote up (^) button instead. Unlike "award points" It doesn't cost you karma, but it still gives the person who posted it karma, and it gives a way for others to see that people have thought particular posts were helpful as well. (ok, sometimes I'll vote up particularly entertaining posts too)

Neiby · ‎07-08-2015

Honestly, I have no idea, either. I didn't see any searches that looked like that in the search guide or in the examples, so I just muddled through it. I didn't see anything that straightforward in the search guide, probably because I was looking in all the wrong places.

How would I limit it to a certain time range?

Thanks!

acharlieh · ‎07-08-2015

Updated the answer with how to constrain the times, and a link to the examples.

Neiby · ‎07-08-2015

Thanks! That code is FAR simpler and straightforward to use than the other examples I found. The examples I was referring to did not use splunklib, so it was far more confusing.

How to search for specific log messages from hosts in a certain IP range

Developer Spotlight with Paul Stout

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...