I’m going to try to answer my own question. It looks like a lot of the problem has to do with formatting the python, particularly printing HTML. And where the script is located in relationship to the Splunk python libraries. Once I had the script in the correct folder and inserted properly quoted print statements the whole thing worked. By quoted print statements I mean things like this:
print "Content-Type:text\html\r\n\r\n"
print "<html>"
print "<head>"
print "<title>Splunk IIS Activity</title>"
print "</head>"
The real problem with this entire exercise is that I could find nowhere where there was a simple python script that ran a search and displayed the results. Typically I had to find a line here and a block of code there until I had the script scavenged together. But it does dispatch a search and displays the raw results. Now I have to figure out how to get the results formatted.
Here is the code for the script:
import sys, os, splunklib.results as results, splunklib.client as client, string
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", ".."))
from xml.etree import ElementTree
import splunklib.binding as binding
HOST = "localhost"
PORT = 8089
USERNAME = "admin"
PASSWORD = "changeme"
service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)
service.login()
kwargs_normalsearch = {"exec_mode": "blocking"}
jobs = service.jobs
job = jobs.create("search index=iis sourcetype=iis earliest=-6h | table time, c_ip, cs_uri_stem", **kwargs_normalsearch)
print "Content-Type:text\html\r\n\r\n"
print "<html>"
print "<head>"
print "<title>Splunk IIS Activity</title>"
print "</head>"
print "<body>"
print "<h3>IIS Activity</h3>"
print "Job result count = "
print job["resultCount"]
for result in results.ResultsReader(job.results()):
print result
print " "
print " "
... View more