Splunk® Enterprise

Module System Reference

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 will no longer be supported as of June 4, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

SplunkQuerySet

Important notice: As part of Advanced XML deprecation, the Module System is officially deprecated beginning with Splunk Enterprise 6.3. For more information, see Advanced XML Deprecation.

all()

The all() method gets the entire set of model objects for all models in scope.

Use this method in combination with filter(), filter_by_app(), filter_by_user(), and search() to populate lists or locate specific entities from the pool of models in scope.

Synopsis

querySet = all()

Return Value

Object A SplunkQuerySet object containing a list of all models in scope.

See Also

filter()
filter_by_app()
filter_by_user()
order_by()
search()

filter()

The filter() method gets a clone of the current query set, which is filtered by the kwargs model field names.

Synopsis

clone = filter( **kwargs )

Parameters

**kwargs Dict Dictionary corresponding to model fields and values by which to filter the current result set.

Return Value

Object SplunkQuerySet object representing a filtered clone of the current result set.

Raises

Exception 'cannot filter on unknown field: %s' % arg

Example

from splunk.models.app import App

class AlertsController(BaseController):

   def index(self, app, **params):
       apps  = App.all().filter(is_disabled=False)

See Also

all()
filter_by_app()
filter_by_user()
order_by()
search()

filter_by_app()

The filter_by_app() method provides app-based filtering by getting a clone of the current query set.

Synopsis

clone = filter_by_app( app )

Parameters

app String App name to use for filtering.

Return Value

Object SplunkQuerySet object representing a filtered clone of the current result set.

Example

from splunk.models.fired_alert import FiredAlert, FiredAlertSummary

class AlertsController(BaseController):

   ... elided ...
   def index(self, app, **params):
       fired_alert_summary = FiredAlertSummary.all().filter_by_app(alerts_app).
               filter_by_user(alerts_user)

See Also

all()
filter()
filter_by_user()
order_by()
search()

filter_by_user()

The filter_by_user() method provides user-based filtering by getting a clone of the current query set.

Synopsis

clone = filter_by_user( user )

Parameters

user String Object owner name used for filtering.

Return Value

Object SplunkQuerySet object representing a filtered clone of the current result set.

Example

from splunk.models.fired_alert import FiredAlert, FiredAlertSummaryclass AlertsController(BaseController):

   def index(self, app, **params):
       fired_alert_summary = FiredAlertSummary.all().filter_by_app(alerts_app).
               filter_by_user(alerts_user)

See Also

all()
filter()
filter_by_app()
search()

get_entities()

The get_entities() wrapper creates Splunk Entity object sets of stored Splunk configuration objects.

Note: This method is called by the iterator() during SplunkQuerySet instantiation and, generally, does not need to be called directly.

Synopsis

entities = get_entities( **kwargs )

Parameters

**kwargs Dict De-serialized key-value pairs.

Return Value

Entity An Entities object containing zero or more entities.

See Also

iterator()

iterator()

The iterator() method iteratively gets resource entities, using an internal count-per-request that is set when SplunkQuerySet is instantiated.

Note: This method does not need to be called directly, because it is used with the built-in __iter__() method and accessed implicitly by calling SplunkQuerySet.next(). Overriding this method is not recommended unless the model has properties that require a special iterator.

Synopsis

model = iterator()

Yields

Function Generator function representing an iteration of SplunkQuerySet.

Raises

splunk.AuthenticationFailed

See Also

get_entities()

order_by()

The order_by() method gets a clone of the current result set, ordered by the specified model field and sorting order.

Synopsis

clone = order_by( key, direction)

Parameters

key String Key to sort on.
direction String Sort dirrection:
asc = Ascending order.
desc = Descending order.

Return Value

Object A clone of the current SplunkQuerySet object sorted by key and direction.

Example

from splunk.models.base import SplunkQuerySet

class MyAppModel(SplunkRESTModel):

See Also

all()
filter()
filter_by_app()
filter_by_user()
search()

search()

The search() method gets a clone of the current query set constrained by the specified search_string. This method is used to perform free text search against a SplunkQuerySet to limit the results returned.

Synopsis

clone = search( search_string )

Parameters

search_string String Search string by which to constrain the results.

Return Value

Object Clone of the current SplunkQuerySet with only members that match the specified search_string.

Example

from splunk.models.base import SplunkQuerySet from splunk.models.fired_alert import FiredAlert, FiredAlertSummary

class MyAppModel(SplunkQuerySet):

       def index(self, app, **params):
           ... elided ...
           if not 'alerts_id' in params:
               fired_alerts = FiredAlert.all()
           else:
               fired_alerts = FiredAlert.get_alerts(
                       urllib.unquote_plus(params.get('alerts_id')))
           # augment query with search
           if len(search_string) > 0:
               fired_alerts = fired_alerts.search(' '.join(search_string))
           ... elided ...

See Also

all()
filter()
filter_by_app()
filter_by_user()
order_by()

Last modified on 12 August, 2019
PREVIOUS
SplunkRESTManager
  NEXT
Decorators

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters