In [1]:
import json
import pandas as pd
import splunklib.client as client
import splunklib.results as results

In [2]:
def connect_to_splunk(username,password,host='localhost',port='8089',owner='admin',app='search',sharing='user'):
    try:
        service = client.connect(host=host, port=port,username=username, password=password,owner=owner,app=app,sharing=sharing)
        if service:
            print("Splunk service created successfully")
            print("------------------------------------")
        return service
    except Exception as e:
        print(e)

In [39]:
def blocking_search_to_df(service,search_string,payload={}):
    try:
        job = service.jobs.create(search_string,**payload)
        results = job.results(output_mode='json').read()
        return pd.DataFrame(json.loads(results.decode('utf8'))['results'])

    except Exception as e:
        print(e)

In [40]:
def oneshot_search_to_df(service,search_string, payload={}):
    try:
        results = service.jobs.oneshot(search_string, **payload).read()
        return pd.DataFrame(json.loads(results.decode('utf8'))['results'])

    except Exception as e:
        print(e)

In [41]:
splunk_service = connect_to_splunk(username='admin',password='MYpassword')

Splunk service created successfully
------------------------------------


In [42]:
search_string= 'search index=my_first_index source="tutorialdata.zip:./www1/access.log" latest="07/01/2022:00:00:00" |head 20 | table _time, clientip, uri_path'
payload = {"exec_mode":"blocking"}

In [43]:
df = blocking_search_to_df(splunk_service, search_string, payload)

In [44]:
df.head(5)

Unnamed: 0,_time,clientip,uri_path
0,2022-06-30T23:57:42.000+00:00,208.240.243.170,/product.screen
1,2022-06-30T23:57:42.000+00:00,208.240.243.170,/cart/success.do
2,2022-06-30T23:57:42.000+00:00,208.240.243.170,/cart.do
3,2022-06-30T23:57:41.000+00:00,208.240.243.170,/oldlink
4,2022-06-30T23:57:40.000+00:00,208.240.243.170,/cart.do


In [48]:
search_string= 'search index=my_first_index source="tutorialdata.zip:./www1/access.log" |head 20| table _time, clientip, uri_path'
payload = {"output_mode":"json", 'latest_time': "2022-07-01T00:00:00"}

In [49]:
df = oneshot_search_to_df(splunk_service, search_string, payload)

In [50]:
df.head(5)

Unnamed: 0,_time,clientip,uri_path
0,2022-06-30T23:57:42.000+00:00,208.240.243.170,/product.screen
1,2022-06-30T23:57:42.000+00:00,208.240.243.170,/cart/success.do
2,2022-06-30T23:57:42.000+00:00,208.240.243.170,/cart.do
3,2022-06-30T23:57:41.000+00:00,208.240.243.170,/oldlink
4,2022-06-30T23:57:40.000+00:00,208.240.243.170,/cart.do
