In the splunk UI, I can have a query such as the following...
host="cmhlpecomweb*" sourcetype=access_combined "GET /check-out/actions/gift-card-submit.jsp"
I have been unable to find how to do this through the splunklib python client.
I have tried numerous combinations, and can find no referecne to how to do this in the Splunk documention.
Examples of what has been tried
service.jobs.export("host=cmhlpecomweb* sourcetype=access_combined | search GET /check-out/actions/gift-card-submit.jsp",
**{"earliest_time":"2017-02-13T10:00:00.000-07:00"}))
service.jobs.export("regex field= host=cmhlpecomweb* sourcetype=access_combined | search GET /check-out/actions/gift-card-submit.jsp",
**{"earliest_time":"2017-02-13T10:00:00.000-07:00"}))
service.jobs.export("search GET /check-out/actions/gift-card-submit.jsp | host=cmhlpecomweb* sourcetype=access_combined ",
**{"earliest_time":"2017-02-13T10:00:00.000-07:00"}))
service.jobs.export("search GET /check-out/actions/gift-card-submit.jsp host=cmhlpecomweb* sourcetype=access_combined ",
**{"earliest_time":"2017-02-13T10:00:00.000-07:00"}))
Surely this can't be this difficult, but after spending the better part of an afternoon, I give up. Is this documented, or even possible? If documented, a pointer to that info would be great!
Are you using the results reader?
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Search/ExportdatausingSDKs
import splunklib.client as client
import splunklib.results as results
service = client.connect(…)
rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head
Are you using the results reader?
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Search/ExportdatausingSDKs
import splunklib.client as client
import splunklib.results as results
service = client.connect(…)
rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head
Hi,
I am, but the syntax I had above consistently threw exceptions. I have since found that I can simply prefix the same search string with "search" (go figure :)), and escape the double quotations for host. After that, it works.
I will wait to verify I am not still missing anything, and then accept your answer.
Thanks,
Steve
you can escape your quotes if you need them just add a \ before them ... \" should work... maybe \"
I think I found this, as the following works...
rr = results.ResultsReader(service.jobs.export("search host=\"cmhlpecomweb*\" sourcetype=access_combined GET /catalog/actions/giftcard-balance-submit.jsp",
**{"earliest_time":"2016-12-31T23:57:00.000-05:00",
"latest_time":"2017-01-01T00:00:00.000-05:00"}))
I think a more complete example should be in the docs for this, rather than search * | head 5
.
Regardless, it works, so thanks to anyone that gave this some thought.