Splunk REST API Python Example

There's really nothing special here except a mildly updated example of the code found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTTUT/RESTsearches#Python_example

Basically, updated to python3 due to the impending end-of-life (print() adjustment, and urlencode had changed in Python3). While I was at it, I found at least one thing that several people on Splunk Communities were asking about, which was changing the output_mode when using python and added that as a variable at the top.

The results are the bottom are returned immediatly (/export) and printed in a more human-readable format, just for the sake of the example. The sample query changed such that you have a high chance of getting results running this as is (4624 = successful Windows login).

I think that's about it. Again, nothing special, but some minor tweaks that may help someone (probably me) understand how to change search results to get what I want.


import urllib
import httplib2
from xml.dom import minidom

baseurl = 'https://localhost:8089'
userName = 'admin'
password = 'password'
output = 'csv'  #options are: raw, csv, xml, json, json_cols, json_rows
                # If you are using "table" in your search result, you must(?) use "csv"

searchQuery = 'earliest=-2d index=* EventCode=4624 | head 3 | table _time,host,user,EventCode'

# Authenticate with server.
# Disable SSL cert validation. Splunk certs are self-signed.
    serverContent = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/auth/login','POST', headers={}, body=urllib.parse.urlencode({'username':userName, 'password':password}))[1]
    print("error in retrieving login.")
     sessionKey = minidom.parseString(serverContent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue
     print("error in retrieving sessionKey")

# Remove leading and trailing whitespace from the search
searchQuery = searchQuery.strip()

# If the query doesn't already start with the 'search' operator or another 
# generating command (e.g. "| inputcsv"), then prepend "search " to it.
if not (searchQuery.startswith('search') or searchQuery.startswith("|")):
    searchQuery = 'search ' + searchQuery


print("----- RESULTS BELOW -----")

# Run the search.
# Again, disable SSL cert validation. 
searchResults = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/search/jobs/export?output_mode='+output,'POST',headers={'Authorization': 'Splunk %s' % sessionKey},body=urllib.parse.urlencode({'search': searchQuery}))[1]

searchResults = searchResults.decode('utf-8')

for result in searchResults.splitlines():
    print("---") # These are just here to demonstrate that we are reading line-by-line