splunklib.results¶
The splunklib.results module provides a streaming XML reader for Splunk search results.
Splunk search results can be returned in a variety of formats including XML, JSON, and CSV. To make it easier to stream search results in XML format, they are returned as a stream of XML fragments, not as a single XML document. This module supports incrementally reading one result record at a time from such a result stream. This module also provides a friendly iterator-based interface for accessing search results while avoiding buffering the result set, which can be very large.
To use the reader, instantiate ResultsReader on a search result stream
as follows::
reader = ResultsReader(result_stream)
for item in reader:
print(item)
print "Results are a preview: %s" % reader.is_preview
-
class
splunklib.results.Message(type_, message)¶ This class represents informational messages that Splunk interleaves in the results stream.
Messagetakes two arguments: a string giving the message type (e.g., “DEBUG”), and a string giving the message itself.Example:
m = Message("DEBUG", "There's something in that variable...")
-
class
splunklib.results.ResultsReader(stream)¶ This class returns dictionaries and Splunk messages from an XML results stream.
ResultsReaderis iterable, and returns adictfor results, or aMessageobject for Splunk messages. This class has one field,is_preview, which isTruewhen the results are a preview from a running search, orFalsewhen the results are from a completed search.This function has no network activity other than what is implicit in the stream it operates on.
Parameters: stream – The stream to read from (any object that supports .read()).Example:
import results response = ... # the body of an HTTP response reader = results.ResultsReader(response) for result in reader: if isinstance(result, dict): print "Result: %s" % result elif isinstance(result, results.Message): print "Message: %s" % result print "is_preview = %s " % reader.is_preview