pythonsplunksplunk-querysplunk-api

python script to run splunk query and get output as text output


Trying to run below code it executes but I do not get the correct value any help is appreciated expecting single value like 492. Code runs but does not give the correct value. Tried splunk library but unable to use those.

import urllib
import httplib2 #import library
import json
import pprint
import time
import re
from xml.dom import minidom

searchquery = 'search index="movable_in" sourcetype="movable:in:assets" | stats avg(exposure_score)'

myhttp = httplib2.Http()
baseurl = 'https://xxxx.splunkxxx.com:8089'
usernamesp = 'xxxx'
passwordsp = 'xxxx'


def get_splunk_result(searchquery):
    # Step 1: Get a session key
    servercontent = myhttp.request(f'{baseurl}/services/auth/login', 'POST', headers={},
                                   body=urllib.parse.urlencode({'username': usernamesp, 'password': passwordsp}))[1]
    sessionkey = minidom.parseString(servercontent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue
    # print ("====>sessionkey:  %s  <====" % sessionkey)
    sid = ''
    # ------------------
    if not searchquery.startswith('search'):
        searchquery = f'search {searchquery}'

    # Step 2: Get a sid with the search query
    i = 0
    while True:
        time.sleep(1)
        try:
            searchjob = myhttp.request(f'{baseurl}/services/search/jobs', 'POST',
                                       headers={F'Authorization': F'Splunk %s' % sessionkey},
                                       body=urllib.parse.urlencode({'search': searchquery}))[1]
            sid = minidom.parseString(searchjob).getElementsByTagName('sid')[0].childNodes[0].nodeValue
            break
        except:
            i = i + 1
            # print(i)
            if (i > 30): break
    # print("====>SID:  %s  <====" % sid)
    # Step 3: Get search status

    myhttp.add_credentials(usernamesp, passwordsp)
    servicessearchstatusstr = '/services/search/jobs/%s/' % sid

    isnotdone = True
    while isnotdone:
        searchstatus = myhttp.request(f'{baseurl}{servicessearchstatusstr}', 'GET')[1]
        isdonestatus = re.compile('isDone">(0|1)')
        strstatus = str(searchstatus)
        isdonestatus = isdonestatus.search(strstatus).groups()[0]
        if (isdonestatus == '1'):
            isnotdone = False
# Step 4: Get the search result

    services_search_results_str = '/services/search/jobs/%s/results?output_mode=json_rows&count=0' % sid
    searchresults = myhttp.request(f'{baseurl}{services_search_results_str}', 'GET')[1]

    searchresults = json.loads(searchresults)
    # searchresults = splunk_result(searchresults)
    return searchresults


output = get_splunk_result(searchquery)
print(output)

Solution

  • import urllib
    import httplib2 #import library
    import json
    import pprint
    import time
    import re
    from xml.dom import minidom
    
    searchquery = 'search index="movable_in" sourcetype="movable:in:assets" | stats avg(exposure_score)'
    
    myhttp = httplib2.Http()
    baseurl = 'https://xxxx.splunkxxx.com:8089'
    usernamesp = 'xxxx'
    passwordsp = 'xxxx'
    
    
    def get_splunk_result(searchquery):
        # Step 1: Get a session key
        servercontent = myhttp.request(f'{baseurl}/services/auth/login', 'POST', headers={},
                                       body=urllib.parse.urlencode({'username': usernamesp, 'password': passwordsp}))[1]
        sessionkey = minidom.parseString(servercontent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue
        # print ("====>sessionkey:  %s  <====" % sessionkey)
        sid = ''
        # ------------------
        if not searchquery.startswith('search'):
            searchquery = f'search {searchquery}'
    
        # Step 2: Get a sid with the search query
        i = 0
        while True:
            time.sleep(1)
            try:
                searchjob = myhttp.request(f'{baseurl}/services/search/jobs', 'POST',
                                           headers={F'Authorization': F'Splunk %s' % sessionkey},
                                           body=urllib.parse.urlencode({'search': searchquery}))[1]
                sid = minidom.parseString(searchjob).getElementsByTagName('sid')[0].childNodes[0].nodeValue
                break
            except:
                i = i + 1
                # print(i)
                if (i > 30): break
        # print("====>SID:  %s  <====" % sid)
        # Step 3: Get search status
    
        myhttp.add_credentials(usernamesp, passwordsp)
        servicessearchstatusstr = '/services/search/jobs/%s/' % sid
    
        isnotdone = True
        while isnotdone:
            searchstatus = myhttp.request(f'{baseurl}{servicessearchstatusstr}', 'GET')[1]
            isdonestatus = re.compile('isDone">(0|1)')
            strstatus = str(searchstatus)
            isdonestatus = isdonestatus.search(strstatus).groups()[0]
            if (isdonestatus == '1'):
                isnotdone = False
    # Step 4: Get the search result
    
        services_search_results_str = '/services/search/jobs/%s/results?output_mode=json_rows&count=0' % sid
        searchresults = myhttp.request(f'{baseurl}{services_search_results_str}', 'GET')[1]
    
        searchresults = json.loads(searchresults)
        # searchresults = splunk_result(searchresults)
        return searchresults
    
    
    output = get_splunk_result(searchquery)
    print(output)