A script to get ES (Enterprise Security) asset info via Python in Splunk #splunk

get_asset.py

import splunk.auth
import splunk.search
import time

def get_asset(host, session_key):
    # Declare some static vars
    search = '| stats count | eval asset="%s" | fields asset | `get_asset(asset)`' % host
    latest_time = "now"
    earliest_time = "0"

    # Kick off the search
    search_job = splunk.search.dispatch(search, earliest_time=earliest_time, latest_time=latest_time, sessionKey=session_key)
    # https://code.google.com/p/corey-projects/source/browse/trunk/python2/splunk/splunk_stat_cmd.py?spec=svn289&r=289

    # Wait for the search to complete
    while search_job.isDone != True:
        time.sleep(1)

    # Try to process the results
    searchID = search_job.sid

    # This is mostly a copy from the notable event REST handler:
    job = splunk.search.getJob(searchID, sessionKey=session_key)

    # Get the results so that we can process them
    dataset = getattr(job, 'results')

    # We are going to do some conversion of the field names and will store the results here
    processed_events = {}

    # Strip the leading 'asset_' from the field names since the macro adds this
    for event in dataset:
        for key in event.keys():

            # Strip the leading 'asset' part of the string if it exists
            if 'asset_' in key:
                processed_events[key[6:]] = event[key]
            else:
                processed_events[key] = event[key]
        
        break # Stop at the first result

    return processed_events

# Authenticate
session_key = splunk.auth.getSessionKey(username='admin', password='changeme')

print get_asset("HOST-003", session_key)