Splunk Search

Use Python API on a query

MK3
Explorer

Hello,

I have a query used on Splunk enterprise web (search)-

 "index="__eit_ecio*"  | ... | bin _time span=12h | ... | table ... |

I am trying to put that into a python API code using Job class as this -

searchquery_oneshot ="<my above query>"

I am getting error - "SyntaxError: invalid decimal literal" pointing to the 12h  in main query.

How can I fix this?

[2) Can I direct "collect" results (summary index) via this API into json format?]

Thanks

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. This search is not proper SPL. The quotes don't add up so it's not obvious if you're quoting whole search or indeed have unneeded quotes in it.

2. Are you sure you're not forgetting about escaping quotes in your string containing search?

3. On Splunk's side, back around 8.0 or even a bit after that the order of arguments with bin and timechart was important. You needed to put the "span=12h" as the first parameter immediately after the command. With sufficiently modern Splunk version it's more lenient to just placing the span parameter almost anywhere.

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...