Community:PySearch
From Splunk Wiki
(Redirected from Dev:PySearch)
Python Example
This example creates a search job, waits around for a few seconds for it to complete, and then requests two JSON events and prints them out.
from httplib2 import Http
from urllib import urlencode
import xml.dom.minidom as xml
import sys
import time
# set variables
endpoint = 'https://localhost:8089'
authURI = endpoint + '/services/auth/login/'
jobURI = endpoint + '/services/search/jobs/'
authData = {'username': "admin", 'password': "changeme"}
headers = {}
# initialize our connection handler
h = Http()
# open a connection and do a POST for auth
resp, content = h.request(authURI, "POST", urlencode(authData))
# parse our token out of the response
xmlDoc = xml.parseString(content)
tokenElements = xmlDoc.getElementsByTagName('sessionKey')
if not tokenElements:
print 'No session key found!'
tokenElements = xmlDoc.getElementsByTagName('msg')
headers['Authorization'] = ''
else:
sessionKey = tokenElements[0].firstChild.nodeValue
headers['Authorization'] = 'Splunk %s' % sessionKey
# set up our search job
postargs = { 'search': "search 404 hoursago=24" }
payload = urlencode(postargs)
# open a connection and do a POST for a new job
resp, content = h.request(jobURI, "POST", headers=headers, body=payload)
# parse our job_id out of the response
xmlDoc = xml.parseString(content)
jobElements = xmlDoc.getElementsByTagName('sid')
if not jobElements:
print 'No jobs found!'
jobElements = xmlDoc.getElementsByTagName('msg')
print 'Reason=%s' % tokenElements[0].firstChild.nodeValue
sys.exit()
else:
jobId = jobElements[0].firstChild.nodeValue
# hang out for a few seconds to let the search finish - there are better ways...
time.sleep(5)
# grab the job_id info
jobId = jobElements[0].firstChild.nodeValue
print jobId
# open a connection and do a GET for the returned job_id
fetchURI = jobURI + jobId + "/results?count=2&output_mode=json"
resp, content = h.request(fetchURI, "GET", headers=headers)
print content
Save this as something like read_job.py and then run it:
kord@beast:~$ python read_job.py
1209536258.1551
[
{
"_cd": "0:36995032",
"_index": "main",
"_kv": "1",
"_meta": " date_second::5 date_hour::6 date_minute::56 date_year::2008 date_month::april date_mday::16 date_wday::wednesday date_zone::-240 punct::..._-_-_[//:::_-]_\\\"_//._/.\\\"___\\\"-\\\"_\\\"-\\\"",
"_raw": "63.172.61.87 - - [16/Apr/2008:06:56:05 -0400] \"GET /wordpress/xmlrpc.php HTTP/1.0\" 404 293 \"-\" \"-\"",
"_serial": "94",
"_time": "2008-04-16T06:56:05.000-04:00",
"date_hour": "6",
"date_mday": "16",
"date_minute": "56",
"date_month": "april",
"date_second": "5",
"date_wday": "wednesday",
"date_year": "2008",
"date_zone": "-240",
"host": "beast",
"linecount": "1",
"punct": "..._-_-_[//:::_-]_\"_//._/.\"___\"-\"_\"-\"",
"source": "/var/log/apache2/access.log.2.gz",
"sourcetype": "too_small"
},
{
"_cd": "0:36995022",
"_index": "main",
"_kv": "1",
"_meta": " date_second::5 date_hour::6 date_minute::56 date_year::2008 date_month::april date_mday::16 date_wday::wednesday date_zone::-240 punct::..._-_-_[//:::_-]_\\\"_///._/.\\\"___\\\"-\\\"_\\\"-\\\"",
"_raw": "63.172.61.87 - - [16/Apr/2008:06:56:05 -0400] \"GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0\" 404 296 \"-\" \"-\"",
"_serial": "95",
"_time": "2008-04-16T06:56:05.000-04:00",
"date_hour": "6",
"date_mday": "16",
"date_minute": "56",
"date_month": "april",
"date_second": "5",
"date_wday": "wednesday",
"date_year": "2008",
"date_zone": "-240",
"host": "beast",
"linecount": "1",
"punct": "..._-_-_[//:::_-]_\"_///._/.\"___\"-\"_\"-\"",
"source": "/var/log/apache2/access.log.2.gz",
"sourcetype": "too_small"
}
]
