# Getting started with SplunkUtills

SplunkUtills is an API for Splunk database, which can be used for querying SIRI and GTFS data into Pandas DataFrame. 

## Step 1: Install  splunk-sdk

SplunkUtills requires installing splunk-sdk package.

You can use pip for installation.

In [1]:
!pip install splunk-sdk



You are using pip version 18.0, however version 19.1.1 is available.
You should consider upgrading via the 'python -m pip install --upgrade pip' command.


## Step 2:  Set Splunk credentials

One must have Splunk credentials (host, port, username, password) to set a connection to Splunk using SplunkUtills.

You can save your credentials in json file as in the following example or simply hard-coded them.

In [2]:
import json

with open('credentials.json', 'r') as f:
    credentials = json.load(f)
    
HOST, PORT, USERNAME, PASSWORD = credentials.values()

## Step 3: Download & import SplunkUtills

Download SplunkUtills.py (needs to be located at the same folder as this notebook).

Then import **splunk_query_builder** and **read_splunk** from SplunkUtills.

In [3]:
from SplunkUtills import splunk_query_builder, read_splunk

## Step 4: Read Splunk function 

Args:
   * query (str): SPL query.
   * username (str): Splunk username.
   * password (str): Splunk password.
   * host (str): Splunk host.
   * port (int): Splunk port.
   
Returns:
    DataFrame: query results.
    
**For example lets query the GTFS (route_stats) using Splunk's Search Processing Language (SPL).**

In [4]:
%%time

query = '''search index=route_stats earliest=-12d latest=-10d route_id=5189|
        fields agency_id, route_short_name, route_id, date, all_start_time | '''

GTFS_data = read_splunk(query,
          host =  HOST, port = PORT, username = USERNAME, password = PASSWORD)

start..

your query:
 search index=route_stats earliest=-12d latest=-10d route_id=5189|

        fields agency_id, route_short_name, route_id, date, all_start_time |
 

imports completed

connection succeed

query status: 100.0%   14 scanned   2 matched   2 results

Done!

query succeed

read results succeed

job_canceled

finished! number of rows: 2

Wall time: 4.9 s


In [5]:
GTFS_data.head()

Unnamed: 0,agency_id,route_short_name,route_id,date,all_start_time
0,3,501,5189,2019-05-02,05:15:00;05:30:00;05:45:00;05:55:00;06:03:00;0...
1,3,501,5189,2019-05-01,05:15:00;05:30:00;05:45:00;05:55:00;06:03:00;0...


**Note that read_splunk function runs a Splunk job. One might send a very heavy query/ies which can fail the connection.
You can stop and delete jobs using Splunk app Job Manager.**

## Step 5:  Splunk Query Builder function

To save time of learning the SPL syntax, you can use this function, which creates SPL query from Dictionary of query Kwargs.

**For example lets query SIRI using splunk_query_builder function.**


**First, we will need to set our query_kwargs for filtering by columns values.**

In [6]:
query_kwargs = {
                'index': 'siri',
                'earliest': '-10d', #=last 10 days
                #'latest': '-8d',
                #'agency_id': 3,
                'route_short_name': 501,
                'route_id': 5189,
                'planned_start_time': '22:00:00',
               #'max_columns': 100000,
               'columns': ['timestamp','agency_id','route_id','route_short_name','service_id','planned_start_time',
                        'bus_id','predicted_end_time','time_recorded','lat','lon']
                }

In [7]:
%%time

SIRI_data = read_splunk(splunk_query_builder(**query_kwargs),
          host =  HOST, port = PORT, username = USERNAME, password = PASSWORD)

start..

your query:
 search index=siri earliest=-10d route_short_name=501 route_id=5189 planned_start_time=22:00:00 |
 fields timestamp, agency_id, route_id, route_short_name, service_id, planned_start_time, bus_id, predicted_end_time, time_recorded, lat, lon |


imports completed

connection succeed

query status: 100.0%   10395 scanned   786 matched   786 results

Done!

query succeed

read results succeed

job_canceled

finished! number of rows: 786

Wall time: 5.99 s


In [8]:
SIRI_data.head()

Unnamed: 0,timestamp,agency_id,route_id,route_short_name,service_id,planned_start_time,bus_id,predicted_end_time,time_recorded,lat,lon
0,2019-05-11T22:59:47.932,3,5189,501,38418529,22:00:00,7646969,23:02:00,23:00:09,32.178764,34.882263
1,2019-05-11T22:58:46.931,3,5189,501,38418529,22:00:00,7646969,23:01:00,22:58:51,32.179638,34.87804
2,2019-05-11T22:57:46.934,3,5189,501,38418529,22:00:00,7646969,23:03:00,22:57:54,32.180546,34.874229
3,2019-05-11T22:56:46.939,3,5189,501,38418529,22:00:00,7646969,23:02:00,22:57:03,32.181194,34.871098
4,2019-05-11T22:55:46.942,3,5189,501,38418529,22:00:00,7646969,23:02:00,22:56:10,32.18211,34.867115


**Some tips for splunk_query_builder function:**

* Splunk search works better when using indexes for filtering. As for now, the function gets only one value per filter column (index), so you can't pass lists in query_kwargs.

* indexex order is matter and can affect your performance. The best is to start with 'index', 'earliest' & 'latest'. This function will set the query accroding to query_kwargs keys order, except for this 3 indexes which will be placed in the start of the query regardless of query_kwargs order. 

* Use 'earliest' & 'latest' time modifiers to customize the time range of your search. You can specify an exact time such as earliest="10/5/2019:20:00:00", or a relative time such as earliest=-1h or latest=@w6. To learn more about SPL TimeMoidifers see: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/SearchTimeModifiers.

* It's recommended to declare selected columns in query_kwargs ('columns').

* You can limit the results number in query_kwargs ('max_columns').

* Note that no results might be a result of a syntax error in column name/filter value.   


## Step 6: Using loop for getting more the 50,000 results 

Splunk API limits the number of results per query to 50,000.

As for now, to overcome this limitation you can use the following 'for' loop.

**First, we will need to set a base query_kwargs.**

For this example, lets query SIRI for one high frequency bus route in Jerusaelm (Line Route 15 of Egged).

In [9]:
query_kwargs = {'index': 'siri',
                'agency_id': 3,
                'route_id': 12405,
               'columns': ['timestamp','agency_id','route_id','route_short_name','service_id','planned_start_time',
                        'bus_id','predicted_end_time','time_recorded','lat','lon']
                }

**Second, define time gaps (e.g days, hours, minutes) for the loop. The time gap need to be small enough for collecting no more then 50,000 results per run, and big enough for better performance.**

See example of quering for last 30 days data using time gaps of 6 days.

In [10]:
time_unit = 'd'
earliest_time_units = 30
latest_time_units = 0
time_units_gap = 6

earliest_latest =\
    [("-{}{}".format(u+time_units_gap, time_unit), "-{}{}".format(u, time_unit)) for u in range(int(round(latest_time_units,0)),
                                                                                               int(round(earliest_time_units,0)),
                                                                                                int(round(time_units_gap,0)))] 

print ("search from {} to {}".format(earliest_latest[0], earliest_latest[-1]))

search from ('-6d', '-0d') to ('-30d', '-24d')


In [11]:
%%time

import pandas as pd

SIRI_data = pd.DataFrame()

for earliest, latest in earliest_latest:
    
    query_kwargs['earliest'] = earliest
    query_kwargs['latest'] = latest
    
    data = read_splunk(splunk_query_builder(**query_kwargs),
                host =  HOST, port = PORT, username = USERNAME, password = PASSWORD)
        
    if isinstance(data, pd.DataFrame) and len(data)==50000:
        raise ValueError('')
        break

    else:
        SIRI_data = SIRI_data.append(data)
            
SIRI_data.drop_duplicates(inplace=True)

start..

your query:
 search index=siri earliest=-6d latest=-0d agency_id=3 route_id=12405 |
 fields timestamp, agency_id, route_id, route_short_name, service_id, planned_start_time, bus_id, predicted_end_time, time_recorded, lat, lon |


imports completed

connection succeed

query status: 100.0%   29979 scanned   29979 matched   29979 results

Done!

query succeed

read results succeed

job_canceled

finished! number of rows: 29979

start..

your query:
 search index=siri earliest=-12d latest=-6d agency_id=3 route_id=12405 |
 fields timestamp, agency_id, route_id, route_short_name, service_id, planned_start_time, bus_id, predicted_end_time, time_recorded, lat, lon |


imports completed

connection succeed

query status: 100.0%   41080 scanned   41080 matched   41080 results

Done!

query succeed

read results succeed

job_canceled

finished! number of rows: 41080

start..

your query:
 search index=siri earliest=-18d latest=-12d agency_id=3 route_id=12405 |
 fields timestamp, agency_

In [12]:
SIRI_data.head()

Unnamed: 0,timestamp,agency_id,route_id,route_short_name,service_id,planned_start_time,bus_id,predicted_end_time,time_recorded,lat,lon
0,2019-05-11T23:59:00.404,3,12405,15,38433040,00:00:00,7560969,00:25:00,23:58:10,31.785391,35.200584
1,2019-05-11T23:59:00.404,3,12405,15,38433039,23:48:00,7560869,00:14:00,23:59:22,31.785318,35.207443
2,2019-05-11T23:58:00.328,3,12405,15,38433040,00:00:00,7560969,00:25:00,23:58:10,31.785391,35.200584
3,2019-05-11T23:58:00.328,3,12405,15,38433039,23:48:00,7560869,00:14:00,23:58:10,31.786251,35.205868
4,2019-05-11T23:57:00.338,3,12405,15,38433040,00:00:00,7560969,00:25:00,03:39:58,0.0,0.0


In [13]:
len(SIRI_data)

173407