splunk rest api search

如下:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source=\"http:hec_test\" | head 5"
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/1481684877.17/results/ --get -d output_mode=csv

更智能点:

sid=`curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source=\"http:hec_test\" refresh" 2>/dev/null | sed "1,2d" | sed "2d" | sed "s/.*>\([0-9]*\.[0-9]*\)<.*/\1/"`
echo $sid
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid/results/ --get -d output_mode=json 2>/dev/null >out.json

 python实现:

复制代码
#!/usr/bin/python -u

import urllib
import httplib2
from xml.dom import minidom
import time
import json

# The same python implementation for curl function
'''
sid=`curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source=\"http:hec_test\" refresh | head 21" 2>/dev/null | sed "1,2d" | sed "2d" | sed "s/.*>\([0-9]*\.[0-9]*\)<.*/\1/"`
echo $sid
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid?output_mode=json
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid/results/ --get -d output_mode=json 2>/dev/null >out.json
'''

class SplunkQuery(object):
    def __init__(self):
        self.baseurl = 'https://localhost:8089'
        self.userName = 'admin'
        self.password = 'changeme'
        self.sessionKey = self.get_key()

    def get_key(self):
        server_content = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/auth/login', 'POST', headers={}, body=urllib.urlencode({'username':self.userName, 'password':self.password}))[1]
        session_key = minidom.parseString(server_content).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue
        return session_key

    def submit_job(self, search_query):
        # check if the query has the search operator
        if not search_query.startswith('search'):
            search_query = 'search ' + search_query
        sid_body = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs','POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({'search': search_query}))[1]
        sid = minidom.parseString(sid_body).getElementsByTagName("sid")[0].childNodes[0].nodeValue
        print "sid:", sid
        return sid

    def request_results(self, sid):
        start = time.time()
        response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "?output_mode=json", 'POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({}))[1]
        data = json.loads(response)
        while not data["entry"][0]["content"]["isDone"]:
            time.sleep(0.001)
            response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "?output_mode=json", 'POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({}))[1]
            data = json.loads(response)
        request_time = time.time()-start
        print "result event count:", data["entry"][0]["content"]["eventCount"], "request time:", request_time
        result_response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "/results", 'GET', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({"output_mode": "json"}))[1]
        results = json.loads(result_response)["results"]
        assert data["entry"][0]["content"]["eventCount"] == len(results)
        end = time.time()
        print "result count:", len(results), "result request time:", end-start
        return results

    def run(self, searchQuery):
        start = time.time()
        sid = self.submit_job(searchQuery)
        self.request_results(sid)
        end = time.time()
        print "search time:", end-start
        return start-end

Q = SplunkQuery()
Q.run(searchQuery = 'sourcetype=hec_test | head 5')
复制代码

 

 

参考:http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTTUT/RESTsearches

posted @   bonelee  阅读(2126)  评论(0编辑  收藏  举报
编辑推荐:
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· 没有源码,如何修改代码逻辑?
阅读排行:
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· DeepSeek 开源周回顾「GitHub 热点速览」
点击右上角即可分享
微信分享提示