Hi ITWhisperer, I did not add any of the code just because it is the one i use as a template to complete other queries successfully, so i would (maybe mistakenly) think that it is not necessarily the code. Still here is part of it and thanks for your input. my_creds_here {}
servercontent = requests.post(str(baseurl) + '/services/auth/login', headers = {}, data = data, verify = False)
sessionkey = minidom.parseString(servercontent.content).getElementsByTagName('sessionKey')[0].childNodes[
0].nodeValue
searchquery = 'index=myindex smtp-message-id="' + str(message_id) + '" earliest=-72 | fields smtp-message-id'
searchjob = requests.post(str(baseurl) + '/services/search/jobs',
headers = {'Authorization': 'Splunk %s' % sessionkey},
data = {'search': searchquery}, verify = False) # [1]
sid = minidom.parseString(searchjob.content).getElementsByTagName('sid')[0].childNodes[0].nodeValue
servicessearchstatusstr = '/services/search/jobs/%s/' % sid
isnotdone = True
while isnotdone:
searchstatus = requests.get(baseurl + servicessearchstatusstr, auth = (username, password),
verify = False).content.decode('utf-8')
isdonestatus = re.compile('isDone">(0|1)')
isdonestatus = isdonestatus.search(searchstatus).groups()[0]
if (isdonestatus == '1'):
isnotdone = False
print("====>search status: %s <====" % isdonestatus)
# Get the search results
if isdonestatus == '1':
services_search_results_str = '/services/search/jobs/%s/results?output_mode=json&count=0' % sid
searchresults = requests.get(baseurl + services_search_results_str, auth = (username, password),
verify = False)
#print response This is the response for queries in which no results are given. b'{"preview":false,"init_offset":0,"post_process_count":0,"messages":[{"type":"INFO","text":"Your timerange was substituted based on your search string"}],"results":[]}' Response where it responds with results b'{"preview":false,"init_offset":0,"messages":[{"type":"INFO","text":"Your timerange was substituted based on your search string"}],"fields":[{"MY FIELDS HERE"],"results":[{"MY RESULTS HERE "}], "highlighted":{}}'
... View more