有没有办法通过splunklib.results模块或任何splunklib模块获取Splunk搜索期间发生的错误数量?
下面是我的代码到目前为止:
#purpose of script: To connect to Splunk, execute a query, and write the query results out to an excel file.
#query results = multiple dynamic # of rows. 7 columns.
#!/usr/bin/env python
import splunklib.client as client #splunklib.client class is used to connect to splunk, authenticate, and maintain session
import splunklib.results as results #module for returning results and printing/writing them out
listOfAppIDs = []
#open file to read each line and add each line in file to an array. These are our appID's to search
with open('filelocation.txt', 'r') as fi:
for line in fi:
listOfAppIDs.append(line.rstrip('\n'))
print listOfAppIDs
#identify variables used to log in
HOST = "8.8.8.8"
PORT = 8089
USERNAME = "uName"
PASSWORD = "pWord"
startPoint = "appID1" #initial start point in array
outputCsv = open('filelocation.csv', 'wb')
fieldnames = ['Application ID', 'transport', 'dst_port', 'Average Throughput per Month','Total Sessions Allowed', 'Unique Source IPs', 'Unique Destination IPs']
writer = csv.DictWriter(outputCsv, fieldnames=fieldnames)
writer.writeheader();
def connect():
global startPoint , item
print "startPoint: " + startPoint
#Create a service instance by using the connect function and log in
service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD,
autologin=True
)
jobs = service.jobs# Get the collection of jobs/searches
kwargs_blockingsearch = {"exec_mode": "normal"}
try:
for item in listOfAppIDs:
errorCount=0
print "item: " + item
if (item >= startPoint):
searchquery_blocking = "search splunkQery"
print item + ':'
job = jobs.create(searchquery_blocking, **kwargs_blockingsearch) # A blocking search returns query result. Search executes here
print "Splunk query for appID " , item , " completed! \n"
resultCount = job["resultCount"] #number of results this job (splunk query) returned
print "result count " , resultCount
rr = results.ResultsReader(job.results())
for result in rr:
if isinstance(result, results.Message):
# Diagnostic messages may be returned in the results
# Check the type and do something.
if result.type == log_type:
print '%s: %s' % (result.type, result.message)
errorCount+=1
elif isinstance(result, dict):
# Normal events are returned as dicts
# Do something with them if required.
print result
writer.writerow([result + errorCount])
pass
assert rr.is_preview == False
except:
print "\nexcept\n"
startPoint = item #returh to connect function but start where startPoint is at in array
connect()
print "done!"
connect()
我使用上面的代码得到以下错误:
'OrderedDict' object has no attribute 'messages'
答案 0 :(得分:3)
from splunklib import results
my_feed=results.ResultsReader(open("results.xml"))
log_type='ERROR'
n_errors=0
for result in my_feed.results:
if isinstance(result, results.Message):
if result.type==log_type:
print result.message
n_errors+=1
您可能遇到data.load()问题,因为它需要带有单个根节点的xml。如果您有多个结果,则一个Feed中的节点可以解决此问题,即:"<root>+open("feed.xml").read()</root>"
如果您可以访问原始Feed而不是数据对象,则可以使用lxml insted of splunk lib
len( lxml.etree.parse("results.xml").findall("//messages/msg[@type='ERROR']") )
以下是基于splunklib文档的完整示例。 ResultsReader
解析原子Feed并为您调用data.load()
每个结果。
import splunklib.client as client
import splunklib.results as results
from time import sleep
log_type='ERROR'
service = client.connect(...)
job = service.jobs.create("search * | head 5")
while not job.is_done():
sleep(.2)
rr = results.ResultsReader(job.results())
for result in rr:
if isinstance(result, results.Message):
# Diagnostic messages may be returned in the results
# Check the type and do something.
if result.type == log_type:
print '%s: %s' % (result.type, result.message)
elif isinstance(result, dict):
# Normal events are returned as dicts
# Do something with them if required.
pass
assert rr.is_preview == False