I was successful in getting results by using the following code, but let me know if it's not working for you:
from splunklib.binding import connect
from splunklib.modularinput.utils import parse_parameters
from splunklib import client, results
def cleanup_tail(options):
""" cleanup the tail of a recovery """
if options['format'] == "csv":
options['fd'].write("\n")
elif options['format'] == "xml":
options['fd'].write("\n</results>\n")
else:
options['fd'].write("\n]\n")
def export(options, service, index):
""" main export method: export any number of indexes """
start = options['start']
end = options['end']
fixtail = options['fixtail']
once = True
squery = "search"
squery = squery + "index=%s" % options['index']
if (start != ""):
squery = squery + " earliest_time=%s" % start
if (end != ""):
squery = squery + " latest_time=%s" % end
print(squery)
success = False
while not success:
# issue query to splunkd
# count=0 overrides the maximum number of events
# returned (normally 50K) regardless of what the .conf
# file for splunkd says.
result = service.get('search/jobs/export',
search=squery,
output_mode=options['format'],
timeout=60,
earliest_time="0.000",
time_format="%s.%Q",
count=0)
print(result.status)
if result.status != 200:
print("warning: export job failed: %d, sleep/retry" % result.status)
time.sleep(60)
else:
success = True
# write export file
while True:
if fixtail and once:
cleanup_tail(options)
once = False
content = result.body.read()
if len(content) == 0: break
options['fd'].write(content)
options['fd'].write("\n".encode("utf-8"))
options['fd'].flush()
options = {"host" : None,
"port" : None,
"username": None,
"password": None,
"format":"csv",
"fixtail":False}
service = connect(**options)
export(options, service, index)
... View more