Re: Real time search with python sdk and | stats

maurelio79 · ‎01-26-2014

Hi guys, i think i'm missing something.
I'm try to make a real time search with python sdk; after connection if i run this search:

search = "search index=main sourcetype=access_combined method=GET"

there is no problem: the shell quite soon start to output something like

OrderedDict([('_confstr', 'source::/home/maurelio/Web/heatmiser/log/access.log|host::DPL101|access_combined'), ('_indextime', '1390773156'), ('_kv', '1'), ('_raw', '79.10.253.90 - - [26/Jan/2014:22:52:32] "GET /jqwidgets/jqxscrollbar.js HTTP/1.1" 304 - "<link_removed>" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"'), ('_serial', '11'), ('_sourcetype', 'access_combined'), ('_time', '2014-01-26 22:52:32.000 CET'), ('host', 'DPL101'), ('index', 'main'), ('linecount', '1'), ('method', 'GET'), ('source', '/home/maurelio/Web/heatmiser/log/access.log'), ('sourcetype', 'access_combined'), ('splunk_server', 'DPL101')])
None
OrderedDict([('_confstr', 'source::/home/maurelio/Web/heatmiser/log/access.log|host::DPL101|access_combined'), ('_indextime', '1390773156'), ('_kv', '1'), ('_raw', '79.10.253.90 - - [26/Jan/2014:22:52:32] "GET /jqwidgets/jqxchart.js HTTP/1.1" 304 - "<link_removed>" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"'), ('_serial', '12'), ('_sourcetype', 'access_combined'), ('_time', '2014-01-26 22:52:32.000 CET'), ('host', 'DPL101'), ('index', 'main'), ('linecount', '1'), ('method', 'GET'), ('source', '/home/maurelio/Web/heatmiser/log/access.log'), ('sourcetype', 'access_combined'), ('splunk_server', 'DPL101')])
None

But if i change my search in:

search = "search index=main sourcetype=access_combined method=GET | stats count by status"

i get no output in the shell; the script stay there without "output" nothing.
Of course the seme search works in splunk web.

What i'm missing?
Thanks

UPDATE
Ok i answer to my self: simply it takes many minutes to start (about 3/4 minutes) but after that it starts, by the way i'd like to know why this big difference.

UPDATE WITH CODE

search = "search index=main sourcetype=access_combined method=GET | stats count by status"
    DATA = []

    try:
        result = service.get(
            "search/jobs/export",
            search=search,
            earliest_time="rt", 
            latest_time="rt", 
            search_mode="realtime")

        for result in ResultsReader(result.body):
            if result is not None:
              # DATA.append([result["status"], result["count"]])
                print(result)


    except KeyboardInterrupt:
            print "\nInterrupted."

jkat54 · ‎04-09-2017

The stats command is waiting until the map reduce queue fills before returning results...

Try tweaking the rt_queue_size or reduce_freq search options that are mentioned here:

http://dev.splunk.com/view/python-sdk/SP-CAAAEE5

maurelio79 · ‎01-26-2014

Of course! Updated my post.

s2upin · ‎04-08-2017

thanks you !

Damien_Dallimor · ‎01-26-2014

Can I see your python code ?

Real time search with python sdk and | stats

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

Real time search with python sdk and | stats

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...