The splunklib.results module provides a streaming XML reader for Splunk search results.
Splunk search results can be returned in a variety of formats including XML, JSON, and CSV. To make it easier to stream search results in XML format, they are returned as a stream of XML fragments, not as a single XML document. This module supports incrementally reading one result record at a time from such a result stream. This module also provides a friendly iterator-based interface for accessing search results while avoiding buffering the result set, which can be very large.
To use the reader, instantiate ResultsReader on a search result stream as follows::
reader = ResultsReader(result_stream)
for item in reader:
print(item)
print "Results are a preview: %s" % reader.is_preview
This class represents informational messages that Splunk interleaves in the results stream.
Message takes two arguments: a string giving the message type (e.g., “DEBUG”), and a string giving the message itself.
Example:
m = Message("DEBUG", "There's something in that variable...")
This class returns dictionaries and Splunk messages from an XML results stream.
ResultsReader is iterable, and returns a dict for results, or a Message object for Splunk messages. This class has one field, is_preview, which is True when the results are a preview from a running search, or False when the results are from a completed search.
This function has no network activity other than what is implicit in the stream it operates on.
| Parameters: | stream – The stream to read from (any object that supports .read()). |
|---|
Example:
import results
response = ... # the body of an HTTP response
reader = results.ResultsReader(response)
for result in reader:
if isinstance(result, dict):
print "Result: %s" % result
elif isinstance(result, results.Message):
print "Message: %s" % result
print "is_preview = %s " % reader.is_preview