我已经编写了python代码来从splunk下载给定搜索和给定日期范围的数据,但似乎日期范围不起作用 - 我可以看到日志在我输入的日期之外。
这是我的代码片段:
def download_binary_file(self, url_path, output_file_path, auth, data):
self.logger.debug("Entering DatacenterSplunk.download_binary_file() for dc " + self.datacenter)
print("Writing logs to file: " + output_file_path)
try:
s = requests.Session()
r = s.post(url_path, auth=auth, data=data, stream=True, verify=self.verify_cert)
r.raise_for_status()
with open(output_file_path, 'wb') as f:
for chunk in r.iter_content(chunk_size=512):
if chunk:
f.write(chunk)
f.close()
except Exception as e:
self.logger.error("Exception encountered in DatacenterSplunk.download_binary_file():" + str(e))
self._handle_exception(e)
self.logger.debug("Leaving DatacenterSplunk.download_binary_file() for dc " + self.datacenter)
这是我正在传递的 URL 和数据,
URL : https://example-zone-ms.compnay.com:8089/services/search/jobs/export
data= {'search': 'search source=*FOO_access* http_apikey | fields - host,source,sourcetype, splunk_server, _time, index, _serial', 'output_mode': 'csv', 'earliest': '08/22/2019:0:0:0', 'latest': '08/22/2019:23:59:59'}
它工作正常,除了日期范围问题,无论我输入的日期范围如何,我总是得到最后 7 天的日志。对于此范围 最早=08/22/2019:0:0:0 -d latest=08/23/2019:0:0:0 我可以从8月29日至8月22
日您可以在搜索字符串中包含最早和最新的,无需包含-d
data= {'search': 'search source=*FOO_access* http_apikey | fields - host,source,sourcetype, splunk_server, _time, index, _serial earliest=08/22/2019:0:0:0 latest=08/23/2019:0:0:0', 'output_mode': 'csv'}
或者,如果要将其作为参数传递,可以使用以下内容
data= {'search': 'search source=*FOO_access* http_apikey | fields - host,source,sourcetype, splunk_server, _time, index, _serial" 'earliest_time': "08/22/2019:0:0:0", 'latest_time': "08/23/2019:0:0:0", 'output_mode': 'csv'}