How do I get data from Splunk REST API using pytho...

ssharm223 · ‎05-12-2022

Hi, so my team is currently has some data on Splunk cloud. My task is to use your REST API to get this data using python.

On Splunk web I get this data by using the following query:

| from inputlookup:"cloud_accountList"

I have written a simple python script to get the data:

splunkTenant = 'avc3'
splunkURL = {
    'api': f"https://ab1.{splunkTenant}.splunkcloud.com:1234",
}
splunkCredentials = {
    'user': 'test_user',
    'password': 'SplunkIsGreat'
}
searchString = f"| from inputlookup:\"cloud_accountList\""

search = {
    'search': searchString,
    'output_mode': 'json'
}

splunkEndpoints = {
    'returnedAppSearch': f"{splunkURL['api']}/servicesNS/{splunkCredentials['user'].upper()}",
}

cacertpath = '/Users/***/Downloads/cacert.pem'

searchURL2 = f"{splunkEndpoints['returnedAppSearch']}/APP_NAME/search/jobs"

splunk_response = requests.post(
    url=searchURL,
    auth=(str(splunkCredentials['user']), str(splunkCredentials['password'])),
    verify=cacertpath
    data=search)

When I run this script I get an error. Can someone please help me out?

Regards

AGLbwa · ‎08-29-2023

@ssharm223 One thing that may be worth trying is adding the app to your connection parameters. I get a different error when I do this and it may simply be that my permissions aren't set up correctly.

AGLbwa · ‎08-29-2023

@ssharm223 did you ever get an answer to this? Guessing no? I'm having the same issue with accessing a csv lookup that I can access via the web UI, however attempting to access it via API gets me:

Non-result: ERROR The lookup table 'asset_lookup-by_str' requires a .csv or KV store lookup definition..

However changing the search to "|inputlookup asset_lookup-by_str.csv" still gets me:

 Non-result: ERROR The lookup table 'asset_lookup-by_str.csv' requires a .csv or KV store lookup definition..

I suspect there is some combination of non-filesystem access and non-default csv locations that means we are SOL, but happy to be proven wrong by the brains trust!

AGLbwa · ‎08-29-2023

This was me with a typo - see that dash? It should be an underscore (and the lookup was kvstore, not csv)!

AGLbwa · ‎09-05-2023

Just as a follow up with csv I definitely get an error. I get the error:

Non-result: ERROR The lookup table 'not_really_my_lookup_name.csv' requires a .csv or KV store lookup definition..

Without .csv I get the same error but *also*:

Non-result: ERROR The lookup table 'not_really_my_lookup_name' is invalid..

ITWhisperer · ‎05-13-2022

What error do you get?

ssharm223 · ‎05-13-2022

'ERROR', 'text': "The lookup table 'cloud_accountList' requires a .csv or KV store lookup definition

This is the error I am getting

ITWhisperer · ‎05-13-2022

Looks like you need to set up a definition for the lookup

ssharm223 · ‎05-13-2022

Thanks ITWhisperer. Can you list the exact steps we have to follow? I am very new to this.

ITWhisperer · ‎05-13-2022

Define a CSV lookup in Splunk Web - Splunk Documentation

ssharm223 · ‎05-16-2022

Went over this with an admin. Looks like the lookup is already defined. Is there anything else I can try?

How do I get data from Splunk REST API using python? Receiving error

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

How do I get data from Splunk REST API using python? Receiving error

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor