The splunklib.data module reads the responses from splunkd in Atom Feed format, which is the format used by most of the REST API.

splunklib.data.load(text, match=None)

This function reads a string that contains the XML of an Atom Feed, then returns the data in a native Python structure (a dict or list). If you also provide a tag name or path to match, only the matching sub-elements are loaded.

  • text (string) – The XML text to load.
  • match (string) – A tag name or path to match (optional).

This function returns a Record instance constructed with an initial value that you provide.

Parameters:value (dict) – An initial record value.
class splunklib.data.Record

This generic utility class enables dot access to members of a Python dictionary.

Any key that is also a valid Python identifier can be retrieved as a field. So, for an instance of Record called r, r.key is equivalent to r['key']. A key such as invalid-key or invalid.key cannot be retrieved as a field, because - and . are not allowed in identifiers.

Keys of the form a.b.c are very natural to write in Python as fields. If a group of keys shares a prefix ending in ., you can retrieve keys as a nested dictionary by calling only the prefix. For example, if r contains keys 'foo', 'bar.baz', and 'bar.qux', r.bar returns a record with the keys baz and qux. If a key contains multiple ., each one is placed into a nested dictionary, so you can write r.bar.qux or r['bar.qux'] interchangeably.