Splunk Search

How to search for specific log messages from hosts in a certain IP range

Neiby
Explorer

We often do a search for device configuration changes on Cisco devices in a specific IP range in a certain time frame. From the web UI, the search would look something like this:

sng_host_ip=10.20.30.0/24 AND "%MGBL-CONFIG-6-DB_COMMIT"

We take the resulting table and export it to csv for analysis.

I want to find a way to do this same search from Python. I used the examples to get basic searches working, but I don't know how to get this same information. I need to specify the IP range, the log message I'm looking for and the time range. Here is an example where I tried to get all the log entries in that IP range starting from yesterday:

metadata type=hosts | regex host="10\.20\.30\.\d{1,3}" | gentimes start=7/7/2015

That resulted in this error:

Error in 'gentimes' command: This command must be the first command of a search.

I think I'm completely on the wrong track. Any thoughts?

Thanks!

Tags (3)
1 Solution

acharlieh
Influencer

The web ui search of

sng_host_ip=10.20.30.0/24 AND "%MGBL-CONFIG-6-DB_COMMIT"

Under the covers is the search:

search sng_host_ip=10.20.30.0/24 AND "%MGBL-CONFIG-6-DB_COMMIT"

I'm not quite following why you wouldn't you be doing something along that line for invoking the search from the API?

To constrain the times that you'd run the search for you'd set the named parameters of earliest_time and latest_time when you create your search job. An example of this for the Python SDK in a oneshot search is here: http://dev.splunk.com/view/python-sdk/SP-CAAAEE5#oneshotjob but for other types of searches it'd be similar.

View solution in original post

acharlieh
Influencer

The web ui search of

sng_host_ip=10.20.30.0/24 AND "%MGBL-CONFIG-6-DB_COMMIT"

Under the covers is the search:

search sng_host_ip=10.20.30.0/24 AND "%MGBL-CONFIG-6-DB_COMMIT"

I'm not quite following why you wouldn't you be doing something along that line for invoking the search from the API?

To constrain the times that you'd run the search for you'd set the named parameters of earliest_time and latest_time when you create your search job. An example of this for the Python SDK in a oneshot search is here: http://dev.splunk.com/view/python-sdk/SP-CAAAEE5#oneshotjob but for other types of searches it'd be similar.

acharlieh
Influencer

Thanks for sending the 2 karma points, but they're yours (for doing the right thing and accepting an answer to your question)! You already gave me points by accepting the answer. If an answer, question, or comment is especially helpful, click the vote up (^) button instead. Unlike "award points" It doesn't cost you karma, but it still gives the person who posted it karma, and it gives a way for others to see that people have thought particular posts were helpful as well. (ok, sometimes I'll vote up particularly entertaining posts too)

Neiby
Explorer

Honestly, I have no idea, either. I didn't see any searches that looked like that in the search guide or in the examples, so I just muddled through it. I didn't see anything that straightforward in the search guide, probably because I was looking in all the wrong places.

How would I limit it to a certain time range?

Thanks!

0 Karma

acharlieh
Influencer

Updated the answer with how to constrain the times, and a link to the examples.

Neiby
Explorer

Thanks! That code is FAR simpler and straightforward to use than the other examples I found. The examples I was referring to did not use splunklib, so it was far more confusing.

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...