Multiprocessing with one connection python

jfuruness · ‎01-12-2018

Can two different child processes share/inherit one splunk connection, and run simultaneous searches? For some reason whenever I do this I get http: 404 not found -- unknown sid errors

mayurr98 · ‎01-12-2018

The workaround for this
After starting search, go to Jobs page under Activity from top right hand corner. Then hit Save for the search you are running.
This error usually happens on long searches and this workaround helps.

Also you can try configure below in limits.conf

 ttl = <integer>
 * How long search artifacts should be stored on disk once completed, in
   seconds. The ttl is computed relative to the modtime of status.csv of the job
   if such file exists or the modtime of the search job's artifact directory. If
   a job is being actively viewed in the Splunk UI then the modtime of
   status.csv is constantly updated such that the reaper does not remove the job
   from underneath.
 * Defaults to 600, which is equivalent to 10 minutes.

let me know if this helps!

jfuruness · ‎01-12-2018

These searches occur automatically, so I cannot hit save as you are suggesting. Also, they only take about a minute to search, which is much less than the time to live in limits.conf. Are you sure it's not because I am running multiple searches simultaneously on the same connection (in multiple processes)? Also, do you know if it is allowed to have multiple processes inherit/share the same connection?

jfuruness · ‎01-12-2018

this is using the python sdk for splunk

Multiprocessing with one connection python

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout