Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Export data using the Splunk SDKs

Splunk Software Development Kits (SDKs) enable software developers to create Splunk apps using common programming languages. Splunk SDKs let you integrate Splunk deployments with third-party reporting tools and portals, include search results in your application, and extract high volumes of data for archival purposes. Use of Splunk SDKs require proficiency in SDK knowledge and development.

Splunk offers SDKs for Python, Java, JavaScript, and C#. Export searches in these SDKs run immediately, do not create a job for the search, and start streaming results immediately.

The Splunk SDKs are built on top of the Splunk REST API. They provide a simpler interface for the REST API endpoints. With fewer lines of code, you can write applications that can:

  • Create and run authenticated searches
  • Add data
  • Index data
  • Manage search jobs
  • Configure Splunk

For more information about the Splunk SDKs, read "Overview of the Splunk SDKs" in the Splunk Developer Portal.

Use Python SDK to export data

The Splunk SDK for Python lets you write Python applications that can interact with Splunk deployments. Export searches using the Python SDK can be run in historical mode and real-time mode. They start right away, and stream results instantly, letting you integrate them into your Python application.

Perform an export search using the Python SDK.

1. Set the parameters of what you wish to search. The following example sets the parameters as an export search of splunklib in the last hour.

import splunklib.client as client
import splunklib.results as results

2. Run a normal-mode search.

service = client.connect(…)
rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head 5"))

3. Get the results and display them using the ResultsReader.

 if isinstance(result, results.Message):
        # Diagnostic messages may be returned in the results
        print '%s: %s' % (result.type, result.message)
    elif isinstance(result, dict):
        # Normal events are returned as dicts
        print result
assert rr.is_preview == False

Use Java SDK to export data

The Java SDK is able to conduct and export searches while using Java.

To perform an export search using the Java SDK, run the following example in the /splunk-sdk-java directory using the CLI:

java -jar dist/examples/export.jar main --username="admin" --password="changeme"

The Export application exports the "main" index to export.out, which is saved to the current working directory. If you want to run this application again, delete export.out before you try again. If you do not do this, you will get an error.

Here is a different CLI example of the Java SDK. It shows how to include a search query and change the output format to JSON.

java -jar dist/examples/export.jar main --search="search sourcetype=access_*" json

Use JavaScript Export to export data

The Javascript Export endpoint can export Splunk data in the Javascript framework. Though the Splunk Javascript SDK does not currently support the Javascript Export endpoint, you can use a node javascript (.js) application request to export data.

To perform an export search using the Javascript Export endpoint:

1. Load the request module. Request is designed to be the simplest way to make an http/https call.

var request = require('request');

2. Call get to issue a GET request. Enter the following parameters:

  • strictSSL – When set to false, strictSSL tells the request to not validate the server certificate returned by your Splunk deployment, which by default is not a valid certificate.
  • uri – Provide the uri of the Splunk host along with the path for the export endpoint. A JSON response is specified in the query string.
  • qs – Set qs to supply the search parameter. By passing it this way, you do not have to URI encode the search string.
request.get(
    {
        strictSSL: false,
        uri: 'https://localhost:8089/servicesNS/admin/search/search/jobs/
              export?output_mode=json',
        qs: {
            search: 'search index=_internal'
        }
    }
)

3. Call auth to use HTTP Basic Auth and pass your Splunk username and password.

.auth('admin', 'changeme', false)

4. Pipe the results to stdout.

.pipe(process.stdout);


Use C# SDK to export data

An export search using the C# SDK runs asynchronously and immediately, does not create a job for the search, and starts streaming results right away. The C# SDK is useful when exporting large amounts of historical or real-time data.

To perform an export search using the C# SDK:

1. Create a preview search using StreamReader.

SearchPreviewStream searchPreviewStream;

2. Export the search result previews.

using (searchPreviewStream = service.ExportSearchPreviewsAsync("search index=_internal | head 100").Result)
{
    int previewNumber = 0;

3. Enumerate through each search result preview.


    foreach (var searchPreview in searchPreviewStream.ToEnumerable())
    {
        Console.WriteLine("Preview {0:D8}: {1}", ++previewNumber, searchPreview.IsFinal ? "final" : "partial");
        int recordNumber = 0;

        foreach (var result in searchPreview.Results)
        {
            Console.WriteLine(string.Format("{0:D8}: {1}", ++recordNumber, result));
        }
    }
}

PREVIOUS
Export data using the Splunk REST API
  NEXT
Export data using the dump command

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters