zoukankan      html  css  js  c++  java

  • splunk rest api search

    如下:

    curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source="http:hec_test" | head 5"
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/1481684877.17/results/ --get -d output_mode=csv

    更智能点:

    sid=`curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source="http:hec_test" refresh" 2>/dev/null | sed "1,2d" | sed "2d" | sed "s/.*>([0-9]*.[0-9]*)<.*/1/"`
echo $sid
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid/results/ --get -d output_mode=json 2>/dev/null >out.json

     python实现:

    #!/usr/bin/python -u

import urllib
import httplib2
from xml.dom import minidom
import time
import json

# The same python implementation for curl function
'''
sid=`curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source="http:hec_test" refresh | head 21" 2>/dev/null | sed "1,2d" | sed "2d" | sed "s/.*>([0-9]*.[0-9]*)<.*/1/"`
echo $sid
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid?output_mode=json
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid/results/ --get -d output_mode=json 2>/dev/null >out.json
'''

class SplunkQuery(object):
    def __init__(self):
        self.baseurl = 'https://localhost:8089'
        self.userName = 'admin'
        self.password = 'changeme'
        self.sessionKey = self.get_key()

    def get_key(self):
        server_content = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/auth/login', 'POST', headers={}, body=urllib.urlencode({'username':self.userName, 'password':self.password}))[1]
        session_key = minidom.parseString(server_content).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue
        return session_key

    def submit_job(self, search_query):
        # check if the query has the search operator
        if not search_query.startswith('search'):
            search_query = 'search ' + search_query
        sid_body = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs','POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({'search': search_query}))[1]
        sid = minidom.parseString(sid_body).getElementsByTagName("sid")[0].childNodes[0].nodeValue
        print "sid:", sid
        return sid

    def request_results(self, sid):
        start = time.time()
        response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "?output_mode=json", 'POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({}))[1]
        data = json.loads(response)
        while not data["entry"][0]["content"]["isDone"]:
            time.sleep(0.001)
            response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "?output_mode=json", 'POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({}))[1]
            data = json.loads(response)
        request_time = time.time()-start
        print "result event count:", data["entry"][0]["content"]["eventCount"], "request time:", request_time
        result_response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "/results", 'GET', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({"output_mode": "json"}))[1]
        results = json.loads(result_response)["results"]
        assert data["entry"][0]["content"]["eventCount"] == len(results)
        end = time.time()
        print "result count:", len(results), "result request time:", end-start
        return results

    def run(self, searchQuery):
        start = time.time()
        sid = self.submit_job(searchQuery)
        self.request_results(sid)
        end = time.time()
        print "search time:", end-start
        return start-end

Q = SplunkQuery()
Q.run(searchQuery = 'sourcetype=hec_test | head 5')

    参考:http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTTUT/RESTsearches
  • 相关阅读:
    第4章 排序
    第5章 算术与代数
    第6章 组合数学
    第7章 数论
    第8章 回溯法
    第9章 图遍历
    第11章 动态规划
    第10章 图算法
    第12章 网格
    第13章 几何
  • 原文地址:https://www.cnblogs.com/bonelee/p/6178680.html
Copyright © 2011-2022 走看看