- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Re: SDK and specifying App context/namespace
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've troubleshot this for awhile, must not be comprehending this correctly. Basically I'm trying to use the | savedsearch command to execute a saved search. Straight forward, right? The hitch is that I'm trying to do it via the API using the SDK, but when I've tried it cannot find the search by name I specify; I can copy/paste direct into Splunk and it works, so I'm good there.
Basically anyone who is able to use the Splunk SDK to execute an arbitrary SPL query, but within the context of a specific app, could likely help me; but it's appreciated regardless! Here is some basic code to describe what I'm doing:
config = {"searches":["search index=firewall | ... | outputlookup mylookup","..."]}
service = client.connect(host="foo",username="user",password="pass",app="my_app_name")
jobs = service.jobs
for search in config["searches"]:
myargs = {"exec_mode":"normal"}
job = jobs.create(search,**myargs)
while True:
while not job.is_ready(): pass
if job["isDone"] == "1": break
sleep(2)
That is the most relevant piece of the code. I'm not looking to bring the results back, which is why you don't see that. I'm more interested in executing a search that is used to populate some lookups, and use lookups, which is why I need to figure out why the app context is not working for me. Perhaps I'm just doing it wrong!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can run saved searches in a specific context without any problem using the SDK.
I use the following code:
instance = client.connect(host="localhost", username="user", password="pass", app="my_app")
job = instance.jobs.create("| savedsearch Rule1")
Where Rule1 is saved search with my_app permissions.
If your saved search has private permissions, you will have to add owner="search_owner" to the parameters!
You can try add the following at the beginning of the script, that will print SDK debug logs in the console and could be helpful!
import logging
logging.basicConfig(level=logging.DEBUG)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This has puzzled me too. Turned out, default connect parameters don't give you access to objects that are set to "private" by other users. To get that, you need to explicitly specify it with wildcard, which is "-". Put that in your ~/.splunkrc or manually set in connect() method.
# Splunk host (default: localhost)
host=HOSTNAMEHERE
# Splunk admin port (default: 8089)
port=8089
# Splunk username
username=USERNAMEHERE
# Splunk password
password=PASSHERE
# Access scheme (default: https)
scheme=https
# Your version of Splunk (default: 5.0)
version=6.6.4
#app context
app=-
#owner wildcard
owner=-
After that, you should be able to see all objects. For example this should return all searches (global, app, user) from all apps:
def main():
opts = parse(sys.argv[1:], {}, ".splunkrc")
service = client.connect(**opts.kwargs)
savedsearches = service.saved_searches
for s in savedsearches:
print s.name, s.access["owner"], s.access["sharing"]
I hope it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can run saved searches in a specific context without any problem using the SDK.
I use the following code:
instance = client.connect(host="localhost", username="user", password="pass", app="my_app")
job = instance.jobs.create("| savedsearch Rule1")
Where Rule1 is saved search with my_app permissions.
If your saved search has private permissions, you will have to add owner="search_owner" to the parameters!
You can try add the following at the beginning of the script, that will print SDK debug logs in the console and could be helpful!
import logging
logging.basicConfig(level=logging.DEBUG)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a link to the Python SDK Saved Search examples
In short try iterating over the saved searches in your app context like :
savedsearches = service.saved_searches
for savedsearch in savedsearches:
print " " + savedsearch.name
print " Query: " + savedsearch["search"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your idea!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of using | savedsearch command, try using SavedSearch object, like specified here:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've considered that, but I didn't see anything about token usage like in the | savedsearch command.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
