We understood the use of an SDK and also saw the installation part of the Splunk SDK for Python. Now, we will see how the SDK can be used to integrate the power of Splunk's analytics and visualization.
The following import statement will make the Splunk API available for use in Python:
import splunklib.client as client import splunklib.results as results
The preceding two import statements make the API exposed using the Splunk SDK that is to be used in the Python code for integration.
The following image in the code snippet connects and also authenticates the Splunk server. The login details can be passed as a parameter when running the Python code or can be hardcoded in the code itself and can be saved in a .splunkrc file:
Once the authentication is successful, the Splunk APIs can be used to send data on Splunk, enlist or run saved searches, run a search query on Splunk, upload files, create and delete indexes, and so on.
The following screenshots show the same code snippet that is used for various Splunk APIs and to perform various operations from the Python code itself.
The following code snippet can create and delete an index on Splunk via Python. In the following code, there are two functions (CreateIndex and CleanIndex) that can be used to create and delete a specified index as a parameter:
The following snippet can be used to create a TCP input to accept the data coming on that port and upload it on Splunk that is mapped to a specified index and sourcetype. Information such as the port number, index mapped to this TCP input, and the respective sourcetype needs to be passed as a parameter while the function is called. Also, since the connection created is a tcp connection, it is hardcoded, but if a UDP connection is required, then tcp needs to be replaced with udp in the following code:
The following code snippet can be used to upload files on Splunk by providing the INDEX and PATH of the file while calling the function:
The Splunk SDK is a great tool that supports modes for the search operation depending on the complexity of the operation. Following are the modes of search supported by Splunk via an SDK:
- Normal mode: In this mode, the search runs on Splunk and the code is returned with a search ID, with which it can poll for completion. Once the search is complete, the results can be displayed.
- Blocking mode: This mode is a synchronous call, and the code is blocked until the result is available and returned to the code.
- One-shot search mode: This is also a synchronous call, but it keeps on sending data, as in when it is available unlike that of blocking when the complete result is available and only then the results are sent.
The following code snippet can be used to run searches on the Splunk dashboard and return the results in the required format:
This is how the Splunk SDK can be used to perform various activities to leverage the power of Splunk in the legacy/proprietary applications.