Skip to content

Instantly share code, notes, and snippets.

@hrbrmstr
Last active February 27, 2016 02:01
Show Gist options
  • Save hrbrmstr/7e9adebb30936994de36 to your computer and use it in GitHub Desktop.
Save hrbrmstr/7e9adebb30936994de36 to your computer and use it in GitHub Desktop.
Immediate splunk search

basic httr idiom for splunk things tho it gets uglier with the saved searches

setup 3 variables in your .Renviron (the obvious ones from the code)

sample run:

> tmp <- search_now("host=vagrant sourcetype=syslog session closed")
> head(tmp)

  X_serial                      X_time            source sourcetype    host index splunk_server
1        0 2015-07-29 21:17:01.000 UTC /var/log/auth.log     syslog vagrant  main       vagrant
2        1 2015-07-29 20:17:01.000 UTC /var/log/auth.log     syslog vagrant  main       vagrant
3        2 2015-07-29 19:17:01.000 UTC /var/log/auth.log     syslog vagrant  main       vagrant
4        3 2015-07-29 19:08:06.000 UTC /var/log/auth.log     syslog vagrant  main       vagrant
5        4 2015-07-29 19:07:21.000 UTC /var/log/auth.log     syslog vagrant  main       vagrant
6        5 2015-07-29 19:07:21.000 UTC /var/log/auth.log     syslog vagrant  main       vagrant
                                                                                        X_raw
1    Jul 29 21:17:01 vagrant CRON[4389]: pam_unix(cron:session): session closed for user root
2    Jul 29 20:17:01 vagrant CRON[2962]: pam_unix(cron:session): session closed for user root
3    Jul 29 19:17:01 vagrant CRON[1704]: pam_unix(cron:session): session closed for user root
4          Jul 29 19:08:06 vagrant sudo: pam_unix(sudo:session): session closed for user root
5 Jul 29 19:07:21 vagrant sshd[1167]: pam_unix(sshd:session): session closed for user vagrant
6          Jul 29 19:07:21 vagrant sudo: pam_unix(sudo:session): session closed for user root
#' @param search_terms
#' @param other parameters passed to httr GET/POST request
#' @return data.frame of results
search_now <- function(search_terms, ...) {
require(httr)
# i.e. "https://localhost:8089"
splunk_server <- Sys.getenv("SPLUNK_API_SERVER")
username <- Sys.getenv("SPLUNK_USERNAME")
password <- Sys.getenv("SPLUNK_PASSWORD")
search_job_export_endpoint <- "servicesNS/admin/search/search/jobs/export"
response <- GET(splunk_server,
path=search_job_export_endpoint,
encode="form",
config(ssl_verifyhost=FALSE, ssl_verifypeer=0),
authenticate(username, password),
query=list(search=paste0("search ", search_terms, collapse="", sep=""),
output_mode="csv"),
verbose(), ...)
result <- read.table(text=content(response, as="text"), sep=",", header=TRUE,
stringsAsFactors=FALSE)
result
}
@deb14
Copy link

deb14 commented Sep 3, 2015

I am getting 401 error with export service, however used the search jobs to get sid but with this code it returns the whole list of searches that exists. However when used the same query in curl I am able to get sid output.

@hrbrmstr
Copy link
Author

hrbrmstr commented Sep 4, 2015

it's a template for the framework of how to use httr to make the calls, not a full package, so you'll have to work through the parameter requirements. I'm not keen on helping splunk make any more $ than they already do, otherwise i'd build a while pkg for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment