Numero di errori restituiti dalla ricerca di Splunk in Python

Question

C'è un modo per ottenere il numero di errori che si sono verificati durante una ricerca di Splunk con il modulo splunklib.results o uno dei moduli splunklib?

Qui di seguito, è il mio codice finora:

#purpose of script: To connect to Splunk, execute a query, and write the query results out to an excel file. 
#query results = multiple dynamiC# of rows. 7 columns. 

#!/usr/bin/env python 
import splunklib.client as client #splunklib.client class is used to connect to splunk, authenticate, and maintain session 
import splunklib.results as results #module for returning results and printing/writing them out 

listOfAppIDs = [] 
#open file to read each line and add each line in file to an array. These are our appID's to search 
with open('filelocation.txt', 'r') as fi: 
    for line in fi: 
     listOfAppIDs.append(line.rstrip('\n')) 
print listOfAppIDs 

#identify variables used to log in 
HOST = "8.8.8.8" 
PORT = 8089 
USERNAME = "uName" 
PASSWORD = "pWord" 

startPoint = "appID1" #initial start point in array 

outputCsv = open('filelocation.csv', 'wb') 
fieldnames = ['Application ID', 'transport', 'dst_port', 'Average Throughput per Month','Total Sessions Allowed', 'Unique Source IPs', 'Unique Destination IPs'] 
writer = csv.DictWriter(outputCsv, fieldnames=fieldnames) 
writer.writeheader(); 

def connect(): 
    global startPoint , item 
    print "startPoint: " + startPoint 

    #Create a service instance by using the connect function and log in 
    service = client.connect(
     host=HOST, 
     port=PORT, 
     username=USERNAME, 
     password=PASSWORD, 
     autologin=True 
    ) 
    jobs = service.jobs# Get the collection of jobs/searches 
    kwargs_blockingsearch = {"exec_mode": "normal"} 

    try: 
     for item in listOfAppIDs: 
      errorCount=0 
      print "item: " + item 
      if (item >= startPoint):  
       searchquery_blocking = "search splunkQery" 
       print item + ':' 
       job = jobs.create(searchquery_blocking, **kwargs_blockingsearch) # A blocking search returns query result. Search executes here 
       print "Splunk query for appID " , item , " completed! \n" 
       resultCount = job["resultCount"] #number of results this job (splunk query) returned 
       print "result count " , resultCount 
       rr = results.ResultsReader(job.results()) 
       for result in rr: 
        if isinstance(result, results.Message): 
         # Diagnostic messages may be returned in the results 
         # Check the type and do something. 
         if result.type == log_type: 
          print '%s: %s' % (result.type, result.message) 
          errorCount+=1 
        elif isinstance(result, dict): 
         # Normal events are returned as dicts 
         # Do something with them if required. 
         print result 
         writer.writerow([result + errorCount]) 
         pass 
       assert rr.is_preview == False 
    except: 
     print "\nexcept\n" 
     startPoint = item #returh to connect function but start where startPoint is at in array 
     connect() 

    print "done!"  

connect() 

ottengo il seguente errore con il codice di cui sopra:

'OrderedDict' object has no attribute 'messages'

Answer 1

from splunklib import results 
my_feed=results.ResultsReader(open("results.xml")) 

log_type='ERROR' 

n_errors=0 
for result in my_feed.results: 
    if isinstance(result, results.Message): 
     if result.type==log_type: 
      print result.message 
      n_errors+=1 

---

Si può avere problemi con i dati .load() in quanto richiede un xml con un singolo nodo radice. Se si dispone di risultati più nodi in un feed può ovviare a questo avvolgere il tuo feed, vale a dire: "<root>+open("feed.xml").read()</root>"

Se si ha accesso al materiale grezzo al posto di un oggetto di dati, è possibile utilizzare lxml posto della Splunk lib

len(lxml.etree.parse("results.xml").findall("//messages/msg[@type='ERROR']")) 

---

Quanto segue è un esempio completo basato sulla documentazione di splunklib. ResultsReader analizza il feed atom e chiama data.load() per ogni risultato.

 import splunklib.client as client 
     import splunklib.results as results 
     from time import sleep 

     log_type='ERROR' 

     service = client.connect(...) 
     job = service.jobs.create("search * | head 5") 
     while not job.is_done(): 
      sleep(.2) 
     rr = results.ResultsReader(job.results()) 
     for result in rr: 
      if isinstance(result, results.Message): 
       # Diagnostic messages may be returned in the results 
       # Check the type and do something. 
       if result.type == log_type: 
       print '%s: %s' % (result.type, result.message) 
      elif isinstance(result, dict): 
       # Normal events are returned as dicts 
       # Do something with them if required. 
       pass 
     assert rr.is_preview == False