1. 首頁
  2. 問答
  3. 從Python中的Splunk搜索中返回錯誤數

從Python中的Splunk搜索中返回錯誤數

2016-03-09 20 views
6

有沒有什麼方法可以獲得使用splunklib.results模塊或任何splunklib模塊進行Splunk搜索期間發生的錯誤數?從Python中的Splunk搜索中返回錯誤數

下面,是迄今爲止我的代碼:

#purpose of script: To connect to Splunk, execute a query, and write the query results out to an excel file. 
#query results = multiple dynamiC# of rows. 7 columns. 

#!/usr/bin/env python 
import splunklib.client as client #splunklib.client class is used to connect to splunk, authenticate, and maintain session 
import splunklib.results as results #module for returning results and printing/writing them out 

listOfAppIDs = [] 
#open file to read each line and add each line in file to an array. These are our appID's to search 
with open('filelocation.txt', 'r') as fi: 
    for line in fi: 
     listOfAppIDs.append(line.rstrip('\n')) 
print listOfAppIDs 

#identify variables used to log in 
HOST = "8.8.8.8" 
PORT = 8089 
USERNAME = "uName" 
PASSWORD = "pWord" 

startPoint = "appID1" #initial start point in array 

outputCsv = open('filelocation.csv', 'wb') 
fieldnames = ['Application ID', 'transport', 'dst_port', 'Average Throughput per Month','Total Sessions Allowed', 'Unique Source IPs', 'Unique Destination IPs'] 
writer = csv.DictWriter(outputCsv, fieldnames=fieldnames) 
writer.writeheader(); 

def connect(): 
    global startPoint , item 
    print "startPoint: " + startPoint 

    #Create a service instance by using the connect function and log in 
    service = client.connect(
     host=HOST, 
     port=PORT, 
     username=USERNAME, 
     password=PASSWORD, 
     autologin=True 
    ) 
    jobs = service.jobs# Get the collection of jobs/searches 
    kwargs_blockingsearch = {"exec_mode": "normal"} 

    try: 
     for item in listOfAppIDs: 
      errorCount=0 
      print "item: " + item 
      if (item >= startPoint):  
       searchquery_blocking = "search splunkQery" 
       print item + ':' 
       job = jobs.create(searchquery_blocking, **kwargs_blockingsearch) # A blocking search returns query result. Search executes here 
       print "Splunk query for appID " , item , " completed! \n" 
       resultCount = job["resultCount"] #number of results this job (splunk query) returned 
       print "result count " , resultCount 
       rr = results.ResultsReader(job.results()) 
       for result in rr: 
        if isinstance(result, results.Message): 
         # Diagnostic messages may be returned in the results 
         # Check the type and do something. 
         if result.type == log_type: 
          print '%s: %s' % (result.type, result.message) 
          errorCount+=1 
        elif isinstance(result, dict): 
         # Normal events are returned as dicts 
         # Do something with them if required. 
         print result 
         writer.writerow([result + errorCount]) 
         pass 
       assert rr.is_preview == False 
    except: 
     print "\nexcept\n" 
     startPoint = item #returh to connect function but start where startPoint is at in array 
     connect() 

    print "done!"  

connect()

我碰到下面的錯誤與上面的代碼:

'OrderedDict' object has no attribute 'messages'

來源

2016-03-09 pHorseSpec

+2

哈哈哈HOST =「8.8.8.8」。這是谷歌的DNS服務器;-) –

回答

3 
from splunklib import results 
my_feed=results.ResultsReader(open("results.xml")) 

log_type='ERROR' 

n_errors=0 
for result in my_feed.results: 
    if isinstance(result, results.Message): 
     if result.type==log_type: 
      print result.message 
      n_errors+=1

你可能有數據問題.load(),因爲它需要一個具有單個根節點的xml。如果你有一個飼料多個結果節點可以解決此包裹你的飼料,即:"<root>+open("feed.xml").read()</root>"

如果您有訪問原始的飼料,而不是一個數據對象,你可以使用LXML insted的Splunk的LIB的

len(lxml.etree.parse("results.xml").findall("//messages/msg[@type='ERROR']"))

以下是基於splunklib文檔的完整示例。 ResultsReader解析原子數據源,並針對每個結果調用data.load()

 import splunklib.client as client 
     import splunklib.results as results 
     from time import sleep 

     log_type='ERROR' 

     service = client.connect(...) 
     job = service.jobs.create("search * | head 5") 
     while not job.is_done(): 
      sleep(.2) 
     rr = results.ResultsReader(job.results()) 
     for result in rr: 
      if isinstance(result, results.Message): 
       # Diagnostic messages may be returned in the results 
       # Check the type and do something. 
       if result.type == log_type: 
       print '%s: %s' % (result.type, result.message) 
      elif isinstance(result, dict): 
       # Normal events are returned as dicts 
       # Do something with them if required. 
       pass 
     assert rr.is_preview == False

來源

2016-03-11 22:17:09 xvan

+0

哪裏可以找到我的'feed.xml'文件? – pHorseSpec

+0

增加了一個完整的例子...檢查不同的'client.connect()'參數的客戶文檔。您的xml通過作業中的rest api檢索......可以創建一個新作業(如示例一),也可以通過'client.job()'方法通過'sid'檢索預定作業。 – xvan

+0

否則,計劃作業可能會將結果存儲在splunk服務器上的xml文件中。然後你可以直接訪問它。 – xvan

相關問題

 相關問題