Thanks for your input, I did see the error in the cron. I've since realized I can't poll the database this frequently I need to build a more extensive parser that saves the data and time of the last event, and then starts the search with that value.
Before I do that I need to implement something brute force that will execute with the cron: 0 0 * * * (e.g. every midnight).
My new python is simpler, just figuring out yesterday's date.
def start_day():
one_day = datetime.timedelta(days=1)
today = datetime.date.today()
startday = today - one_day
return startday.strftime('%Y-%m-%d')
I'm actually doing a call with URL arguments that include:
$where=applieddate between $start_day$ and $datetoday$
However, I'm getting an error, and I think its because the tokens aren't replacing. I'm getting a 400, but the return as error is logged into the index and it reads:
http_error_code = 400 error_message = {"message":"query.soql.no-such-column","errorCode":"query.soql.no-such-column","data":{"data":{"column":"$start_day$","dataset":"alpha.34796","position":{"row":1,"column":38,"line":"SELECT * WHERE `applieddate` BETWEEN `$start_day$` AND `$datetoday$` ORDER BY `applieddate` DESC NULL FIRST\n
I would have expected the two tokens to be replaced with the date, since this is coming back from the endpoint into the index. Any ideas why the python wouldn't have executed?
I saved it into the tokens.py file, and then I restarted Splunk for good measure in case it needed to be loaded in an include or something.
Your ideas are appreciated.
... View more