splunk rest api search
如下:
curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source=\"http:hec_test\" | head 5" curl -u admin:changeme -k https://localhost:8089/services/search/jobs/1481684877.17/results/ --get -d output_mode=csv
更智能点:
sid=`curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source=\"http:hec_test\" refresh" 2>/dev/null | sed "1,2d" | sed "2d" | sed "s/.*>\([0-9]*\.[0-9]*\)<.*/\1/"` echo $sid curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid/results/ --get -d output_mode=json 2>/dev/null >out.json
python实现:
#!/usr/bin/python -u import urllib import httplib2 from xml.dom import minidom import time import json # The same python implementation for curl function ''' sid=`curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source=\"http:hec_test\" refresh | head 21" 2>/dev/null | sed "1,2d" | sed "2d" | sed "s/.*>\([0-9]*\.[0-9]*\)<.*/\1/"` echo $sid curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid?output_mode=json curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid/results/ --get -d output_mode=json 2>/dev/null >out.json ''' class SplunkQuery(object): def __init__(self): self.baseurl = 'https://localhost:8089' self.userName = 'admin' self.password = 'changeme' self.sessionKey = self.get_key() def get_key(self): server_content = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/auth/login', 'POST', headers={}, body=urllib.urlencode({'username':self.userName, 'password':self.password}))[1] session_key = minidom.parseString(server_content).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue return session_key def submit_job(self, search_query): # check if the query has the search operator if not search_query.startswith('search'): search_query = 'search ' + search_query sid_body = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs','POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({'search': search_query}))[1] sid = minidom.parseString(sid_body).getElementsByTagName("sid")[0].childNodes[0].nodeValue print "sid:", sid return sid def request_results(self, sid): start = time.time() response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "?output_mode=json", 'POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({}))[1] data = json.loads(response) while not data["entry"][0]["content"]["isDone"]: time.sleep(0.001) response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "?output_mode=json", 'POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({}))[1] data = json.loads(response) request_time = time.time()-start print "result event count:", data["entry"][0]["content"]["eventCount"], "request time:", request_time result_response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "/results", 'GET', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({"output_mode": "json"}))[1] results = json.loads(result_response)["results"] assert data["entry"][0]["content"]["eventCount"] == len(results) end = time.time() print "result count:", len(results), "result request time:", end-start return results def run(self, searchQuery): start = time.time() sid = self.submit_job(searchQuery) self.request_results(sid) end = time.time() print "search time:", end-start return start-end Q = SplunkQuery() Q.run(searchQuery = 'sourcetype=hec_test | head 5')
参考:http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTTUT/RESTsearches
