Hi, bit of background information. I have a splunk enterprise server and I'm working on writing a script to search stuff for data I want to pull from it. (Using python 3 with Splunk SDK (Splunklib.client, Splunklib.requests))
The way I am currently doing it is that we have an audit viewer which can be used to run a search, this viewer for example also shows the query string, so I am using the same query string when I use my script. The problem is say I run search on my audit viewer, I'll get two results back, but when I use the exact same string, I get like 12k lines of results back, which I'm not sure is relevant or not.
This is how I am running the search atm:
# Connect to splunk servers.
# Get input of various search parameters.
query = input("Enter query string, you can create it using the audit viewer: ")
query = "search " + query
# Get results and start getting them.
f = open("output.txt", 'w')
rr = results.ResultsReader(service.jobs.export(query))
for result in rr:
if isinstance(result, results.Message):
# Diagnostic messages may be returned in the results
elif isinstance(result, dict):
# Normal events are returned as dicts
print(result, file = f)
assert rr.is_preview == False
And my file prints out a ton of OrderedDicts of information that seems to me shouldn't be there.
So how do I make sure I only get the results which I perceive is the correct amount (the online viewer)? And lastly I would like to use this results to get the GUID, which I can use to get the payload for the events, how do I accomplish that?