如下:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source=\"http:hec_test\" | head 5"
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/1481684877.17/results/ --get -d output_mode=csv

更智能点:

sid=`curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source=\"http:hec_test\" refresh" 2>/dev/null | sed "1,2d" | sed "2d" | sed "s/.*>\([0-9]*\.[0-9]*\)<.*/\1/"`
echo $sid
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid/results/ --get -d output_mode=json 2>/dev/null >out.json

python实现:

#!/usr/bin/python -u

import urllib
import httplib2
from xml.dom import minidom
import time
import json # The same python implementation for curl function
'''
sid=`curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search source=\"http:hec_test\" refresh | head 21" 2>/dev/null | sed "1,2d" | sed "2d" | sed "s/.*>\([0-9]*\.[0-9]*\)<.*/\1/"`
echo $sid
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid?output_mode=json
curl -u admin:changeme -k https://localhost:8089/services/search/jobs/$sid/results/ --get -d output_mode=json 2>/dev/null >out.json
''' class SplunkQuery(object):
def __init__(self):
self.baseurl = 'https://localhost:8089'
self.userName = 'admin'
self.password = 'changeme'
self.sessionKey = self.get_key() def get_key(self):
server_content = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/auth/login', 'POST', headers={}, body=urllib.urlencode({'username':self.userName, 'password':self.password}))[1]
session_key = minidom.parseString(server_content).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue
return session_key def submit_job(self, search_query):
# check if the query has the search operator
if not search_query.startswith('search'):
search_query = 'search ' + search_query
sid_body = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs','POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({'search': search_query}))[1]
sid = minidom.parseString(sid_body).getElementsByTagName("sid")[0].childNodes[0].nodeValue
print "sid:", sid
return sid def request_results(self, sid):
start = time.time()
response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "?output_mode=json", 'POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({}))[1]
data = json.loads(response)
while not data["entry"][0]["content"]["isDone"]:
time.sleep(0.001)
response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "?output_mode=json", 'POST', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({}))[1]
data = json.loads(response)
request_time = time.time()-start
print "result event count:", data["entry"][0]["content"]["eventCount"], "request time:", request_time
result_response = httplib2.Http(disable_ssl_certificate_validation=True).request(self.baseurl + '/services/search/jobs/' + sid + "/results", 'GET', headers={'Authorization': 'Splunk %s' % self.sessionKey},body=urllib.urlencode({"output_mode": "json"}))[1]
results = json.loads(result_response)["results"]
assert data["entry"][0]["content"]["eventCount"] == len(results)
end = time.time()
print "result count:", len(results), "result request time:", end-start
return results def run(self, searchQuery):
start = time.time()
sid = self.submit_job(searchQuery)
self.request_results(sid)
end = time.time()
print "search time:", end-start
return start-end Q = SplunkQuery()
Q.run(searchQuery = 'sourcetype=hec_test | head 5')

参考:http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTTUT/RESTsearches

splunk rest api search的更多相关文章

  1. 小记SharePoint REST API Search和COM

    1.管理员身份Visual Studio,新建类项目 SPCOM 2.编写逻辑实现代码 重点关注搜索结果的属性包括: Title,Author,Path,Description,HitHighligh ...

  2. ElasticSearch(十四) _search api search timeout 机制

    语法:timeout=10ms,timeout=1s,timeout=1m GET /_search?timeout=10m timeout:默认无timeout,latency平衡completen ...

  3. splunk中mongodb作用——存用户相关数据如会话、搜索结果等

    About the app key value store The app key value store (or KV store) provides a way to save and retri ...

  4. Splunk Enterprise architecture——转发器本质上是日志收集client附加负载均衡,indexer是分布式索引,外加一个集中式管理协调的中心节点

    Splunk Enterprise architecture and processes This topic discusses the internal architecture and proc ...

  5. 使用SPLUNK进行简单Threat Hunting

    通过订阅网上公开的恶意ip库(威胁情报),与SIEM平台中网络流量日志进行匹配,获得安全事件告警. 比如,这里有一个malware urls数据下载的网站,每天更新一次: https://urlhau ...

  6. .net 调用java rest ful api 实例

    注意post的参数组合 HttpWebRequest request = WebRequest.Create(url) as HttpWebRequest; request.Method = &quo ...

  7. 百度音乐API抓取

    百度音乐API抓取 前段时间做了一个本地音乐的播放器 github地址,想实现在线播放的功能,于是到处寻找API,很遗憾,不是歌曲不全就是质量不高.在网上发现这么一个APIMRASONG博客,有“获取 ...

  8. c# 请求api获得json数据

    public static string HttpGet(string Url) { HttpWebRequest request = (HttpWebRequest)WebRequest.Creat ...

  9. (07)odoo扩展API

    * 打开XML-RPC 连接    >>> import xmlrpclib    >>> srv, db = 'http://localhost:8069', ' ...

随机推荐

  1. How to crack interviews ...

    Code practice: Leetcode: www.leetcode.com HackerRank: www.hackerrank.com Topcoder: https://www.topco ...

  2. Perfection Kills

    <!doctype html> <html> <head> <meta charset="utf-8"> <title> ...

  3. loutsScript 常用代码

    1.FTSearch搜索: Set dc=db.Ftsearch("name",0) '0位置为最大的查询数,0为所有匹配的文件 FTSearch必须创建数据库索引 Set doc ...

  4. html 实时监控发送数据

    我们都知道ajax可以做异步提交,可以从一个文件里得到返回的数据,如此便能够实时的得到数据,实时刷新页面,如下代码 setInterval(function(){ $.ajax({ url:'demo ...

  5. Spring管理bean的生命周期

    1: bean的创建:   如果我们默认的scope配置为Singleton的话, bean的创建实在Spring容器创建的时候创建: 如果scope的配置为Prototype的话,bena的创建是在 ...

  6. 如何将自己开发的标签打成jar包

    1: 在Myeclipse中新建一个java工程 2: 将你的标签处理器类统统都拷到工程里面, 将tld文件拷到META-INF里面 3:点击file里面的export,

  7. MFC编程入门之六(对话框:创建对话框模板和修改对话框属性)

    本节开始为大家讲解偏向应用的知识--创建对话框.  对话框,大家应该很熟悉了,在我们常用的软件中大多都有对话框界面,例如,360安全卫士的主界面其实就是对话框,知识它做了很多美工方面的工作,将其大大美 ...

  8. Hashtable HashMap

    Hashtable和HashMap类有三个重要的不同之处.第一个不同主要是历史原因.Hashtable是基于陈旧的Dictionary类的,HashMap是Java 1.2引进的Map接口的一个实现. ...

  9. JavaScript 开发进阶:理解 JavaScript 作用域和作用域链(转载 学习中。。。)

    作用域是JavaScript最重要的概念之一,想要学好JavaScript就需要理解JavaScript作用域和作用域链的工作原理.今天这篇文章对JavaScript作用域和作用域链作简单的介绍,希望 ...

  10. zabbix监控系统客户端安装

    原文:http://blog.chinaunix.net/uid-25266990-id-3387002.html 测试使用agentd监听获取数据. 服务端的安装可以查看http://blog.ch ...