splunk_deployment_server_client_cleanup.py

import requests
import os
from lxml import etree

# remove old clients from deployment server

deployment_server = os.getenv('SPLUNK_DS')
splunk_username = os.getenv('SPLUNK_DS_USER')
splunk_password = os.getenv('SPLUNK_DS_PASS')
ds_auth=(splunk_username, splunk_password)


def remove_client(guid):
    print(f'removing: {guid}')
    endpoint='services/deployment/server/clients'
    response = requests.delete(f'http://{deployment_server}:8089/{endpoint}/{guid}', auth=ds_auth)
    print(response.status_code)
    


def find_old_clients():

    # 6h  = 21600
    # 12h = 43200
    # 24h = 86400
    # 48h = 172800

    search = ('| rest splunk_server=local /services/deployment/server/clients '
             '| eval last_seen = now() - lastPhoneHomeTime '
             '| where last_seen > 86400 '
             '| rename clientName as guid '
             '| fields guid')
    data = { 'search': search }
    endpoint='servicesNS/admin/search/search/jobs/export'
    response = requests.post(f'http://{deployment_server}:8089/{endpoint}', data=data, auth=ds_auth)
    xmlroot=etree.fromstring(response.content)
    results=[]
    for result in xmlroot.findall('result/field/value/text'):
        results.append(result.text)
        # print(guid)
    
    return(results)


if __name__ == '__main__':

    old_clients = find_old_clients()
    for guid in old_clients:
        remove_client(guid)