Last active
August 30, 2017 18:17
-
-
Save LukeMurphey/42aee4b3fb8344816482e9ee7e2cb400 to your computer and use it in GitHub Desktop.
An example of kicking off a saved search from Python without using the SDK #splunk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import splunk.auth | |
| import splunk.rest | |
| import splunk.search | |
| import json | |
| import time | |
| # Authenticate | |
| session_key = splunk.auth.getSessionKey(username='admin', password='changeme') | |
| search_to_run = "Errors in the last 24 hours" | |
| job = splunk.search.dispatchSavedSearch(search_to_run, session_key, earliestTime="-24h@h", latestTime="now") | |
| print "Started job", job.id | |
| while not job.isDone: | |
| time.sleep(1) | |
| # Note: you will need to modify how you get output depending on if you want the events, results, or preview of the results | |
| # 1) Here is an example of getting results (when you use a reporting command in the search, like "stats") | |
| # dataset = job.results | |
| # 2) Here is an example of getting results_preview (when the search isn't done yet and you want to view the preview) | |
| # dataset = job.results_preview | |
| # 3) Here is an example of getting events (when you want the raw events and no reporting commands are used) | |
| dataset = job.events | |
| for event in dataset: | |
| print event['host'] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment