The Splunk Enterprise Software Development Kit (SDK) for Python contains library code and examples designed to enable developers to build applications using the Splunk platform.
The Splunk platform is a search engine and analytic environment that uses a distributed map-reduce architecture to efficiently index, search, and process large time-varying data sets.
The Splunk platform is popular with system administrators for aggregation and monitoring of IT machine data, security, compliance, and a wide variety of other scenarios that share a requirement to efficiently index, search, analyze, and generate real-time notifications from large volumes of time-series data.
The Splunk developer platform enables developers to take advantage of the same technology used by the Splunk platform to build exciting new applications.
The Splunk Enterprise SDK for Python contains library code and examples that show how to programmatically interact with the Splunk platform for a variety of scenarios including searching, saved searches, data inputs, and many more, along with building complete applications.
Here's what you need to get going with the Splunk Enterprise SDK for Python.
-
Python 2.7+ or Python 3.7.
The Splunk Enterprise SDK for Python has been tested with Python v2.7 and v3.7.
-
Splunk Enterprise
If you haven't already installed Splunk Enterprise, download it here. For more information, see the Splunk Enterprise Installation Manual.
-
Splunk Enterprise SDK for Python
Get the Splunk Enterprise SDK for Python from PyPI. If you want to contribute to the SDK, clone the repository from GitHub.
Use the following commands to install the Splunk Enterprise SDK for Python libraries. However, it's not necessary to install the libraries to run the examples and unit tests from the SDK.
Use pip
:
[sudo] pip install splunk-sdk
Install the Python egg:
[sudo] pip install --egg splunk-sdk
Install the sources you cloned from GitHub:
[sudo] python setup.py install
You'll need docker
and docker-compose
to get up and running using this method.
make up SPLUNK_VERSION=8.0
make wait_up
make splunkrc_default
make test
make down
To run the examples and unit tests, you must put the root of the SDK on your PYTHONPATH. For example, if you downloaded the SDK to your home folder and are running OS X or Linux, add the following line to your .bash_profile file:
export PYTHONPATH=~/splunk-sdk-python
The SDK command-line examples require a common set of arguments that specify the host, port, and login credentials for Splunk Enterprise. For a full list of command-line arguments, include --help
as an argument to any of the examples.
import splunklib.client as client
service = client.connect(host=<host_url>, username=<username>, password=<password>, autoLogin=True)
import splunklib.client as client
service = client.connect(host=<host_url>, splunkToken=<bearer_token>, autologin=True)
import splunklib.client as client
service = client.connect(host=<host_url>, token=<session_key>, autologin=True)
To connect to Splunk Enterprise, many of the SDK examples and unit tests take command-line arguments that specify values for the host, port, and login credentials for Splunk Enterprise. For convenience during development, you can store these arguments as key-value pairs in a text file named .splunkrc. Then, the SDK examples and unit tests use the values from the .splunkrc file when you don't specify them.
Note: Storing login credentials in the .splunkrc file is only for convenience during development. This file isn't part of the Splunk platform and shouldn't be used for storing user credentials for production. And, if you're at all concerned about the security of your credentials, enter them at the command line rather than saving them in this file.
To use this convenience file, create a text file with the following format:
# Splunk Enterprise host (default: localhost)
host=localhost
# Splunk Enterprise admin port (default: 8089)
port=8089
# Splunk Enterprise username
username=admin
# Splunk Enterprise password
password=changeme
# Access scheme (default: https)
scheme=https
# Your version of Splunk Enterprise
version=8.0
Save the file as .splunkrc in the current user's home directory.
-
For example on OS X, save the file as:
~/.splunkrc
-
On Windows, save the file as:
C:\Users\currentusername\.splunkrc
You might get errors in Windows when you try to name the file because ".splunkrc" appears to be a nameless file with an extension. You can use the command line to create this file by going to the C:\Users\<currentusername> directory and entering the following command:
Notepad.exe .splunkrc
Click Yes, then continue creating the file.
Examples are located in the /splunk-sdk-python/examples directory. To run the examples at the command line, use the Python interpreter and include any arguments that are required by the example. In the commands below, replace "examplename" with the name of the specific example in the directory that you want to run:
Using username and Password
python examplename.py --username="admin" --password="changeme"
Using Bearer token
python examplename.py --bearerToken=<value>
Using Session key
python examplename.py --sessionKey="<value>"
If you saved your login credentials in the .splunkrc file, you can omit those arguments:
python examplename.py
To get help for an example, use the --help
argument with an example:
python examplename.py --help
The Splunk Enterprise SDK for Python contains a collection of unit tests. To run them, open a command prompt in the /splunk-sdk-python directory and enter:
make
You can also run individual test files, which are located in /splunk-sdk-python/tests. To run a specific test, enter:
make specific_test_name
The test suite uses Python's standard library, the built-in unittest
library, pytest
, and tox
.
Notes:
- The test run fails unless the SDK App Collection app is installed.
- To exclude app-specific tests, use the
make test_no_app
command.- To learn about our testing framework, see Splunk Test Suite on GitHub. In addition, the test run requires you to build the searchcommands app. The
make
command runs the tasks to do this, but more complex testing may require you to rebuild using themake build_app
command.
Directory | Description |
---|---|
/docs | Source for Sphinx-based docs and build |
/examples | Examples demonstrating various SDK features |
/splunklib | Source for the Splunk library modules |
/tests | Source for unit tests |
/utils | Source for utilities shared by the examples and unit tests |
- When working with custom search commands such as Custom Streaming Commands or Custom Generating Commands, We may need to add new fields to the records based on certain conditions.
- Structural changes like this may not be preserved.
- Make sure to use
add_field(record, fieldname, value)
method from SearchCommand to add a new field and value to the record. - Note: Usage of
add_field
method is completely optional, if you are not facing any issues with field retention.
Do
class CustomStreamingCommand(StreamingCommand):
def stream(self, records):
for index, record in enumerate(records):
if index % 1 == 0:
self.add_field(record, "odd_record", "true")
yield record
Don't
class CustomStreamingCommand(StreamingCommand):
def stream(self, records):
for index, record in enumerate(records):
if index % 1 == 0:
record["odd_record"] = "true"
yield record
- Generating Custom Search Command is used to generate events using SDK code.
- Make sure to use
gen_record()
method from SearchCommand to add a new record and pass event data as a key=value pair separated by , (mentioned in below example).
Do
@Configuration()
class GeneratorTest(GeneratingCommand):
def generate(self):
yield self.gen_record(_time=time.time(), one=1)
yield self.gen_record(_time=time.time(), two=2)
Don't
@Configuration()
class GeneratorTest(GeneratingCommand):
def generate(self):
yield {'_time': time.time(), 'one': 1}
yield {'_time': time.time(), 'two': 2}
The CHANGELOG contains a description of changes for each version of the SDK. For the latest version, see the CHANGELOG.md on GitHub.
The master branch represents a stable and released version of the SDK. To learn about our branching model, see Branching Model on GitHub.
Resource | Description |
---|---|
Splunk Developer Portal | General developer documentation, tools, and examples |
Integrate the Splunk platform using development tools for Python | Documentation for Python development |
Splunk Enterprise SDK for Python Reference | SDK API reference documentation |
REST API Reference Manual | Splunk REST API reference documentation |
Splunk>Docs | General documentation for the Splunk platform |
GitHub Wiki | Documentation for this SDK's repository on GitHub |
Stay connected with other developers building on the Splunk platform.
If you would like to contribute to the SDK, see Contributing to Splunk. For additional guidelines, see CONTRIBUTING.
-
You will be granted support if you or your company are already covered under an existing maintenance/support agreement. Submit a new case in the Support Portal and include "Splunk Enterprise SDK for Python" in the subject line.
If you are not covered under an existing maintenance/support agreement, you can find help through the broader community at Splunk Answers.
-
Splunk will NOT provide support for SDKs if the core library (the code in the /splunklib directory) has been modified. If you modify an SDK and want support, you can find help through the broader community and Splunk Answers.
We would also like to know why you modified the core library, so please send feedback to [email protected].
-
File any issues on GitHub.
You can reach the Splunk Developer Platform team at [email protected].
The Splunk Enterprise Software Development Kit for Python is licensed under the Apache License 2.0. See LICENSE for details.