Here is my latest attempt at using the sdk, python.. SplunkDev helped out a great deal with this.
#!c:/Python26/python.exe -u
import splunk.client as client
import splunk.results as results
import sys, datetime
from pprint import pprint
HOST = "localhost"
PORT = 8090
USERNAME = "admin"
PASSWORD = "abc123"
service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)
# ----------------------------------------
oldtime = datetime.datetime.now()
search = 'search index="sidewinder_rules" table=rule disable=no earliest=-8d| dedup name,cluster |table cluster,name,rulegroup,sourcetype,appcode,_time'
job = service.jobs.create(search, exec_mode="blocking", max_count=5000)
job_results = job.results(count=0, output_mode="xml")
reader = results.ResultsReader(job_results)
num_results = 0;
for kind, result in reader:
if kind == results.RESULT:
host = result.get("cluster", 0)
rulegroup = result.get("rulegroup", 0)
name = result.get("name", 0)
sourcetype = result.get("sourcetype", 0)
appcode = result.get("appcode", 0)
pprint(host)
newtime = datetime.datetime.now()
print "Elapsed Time: %s" % (newtime - oldtime)
Still have to make some improvements as suggested by splunkDev but it functions for my needs.
It also gets more than the default 100 rows when returning results (count=0) and sets a limit of 5000 rows.
... View more