Command line examples in the Splunk SDK for Python

Examples are located in the /splunk-sdk-python/examples directory. To run the examples at the command line, use the Python interpreter and include any arguments that are required by the example.

python --username="admin" --password="yourpassword"

If you saved your login credentials in the .splunkrc file, you can omit those arguments:


To get help for an example, use the --help argument with an example:

python --help

Run examples

Here are some different command-line examples to show how to use the SDK examples. Make sure Splunk Enterprise is running, and then open a command prompt in the /splunk-sdk-python/examples directory.

Run a search and display formatted results

The example runs a search and returns the results, using parameters to customize your searches. Running this example creates a search job that is deleted once the results are returned. Use --help to list the available options. For a deeper description of what these parameters mean, look for them in the Requests table under POST search/jobs in the Splunk REST API documentation.

Here's how to search everything, return results in CSV format, and display progress:

python "search *" --output_mode=csv --verbose=verbose

This example searches everything after a specified time, requires the "desc" field, and returns the first 10 results in JSON format:

python "search * | head 10" --earliest_time="2011-03-12T17:15:00.000-07:00" --rf="desc" --output_mode=json

Use the example to format your search results. This example removes the XML tags and condenses the output, so the results are easier to read than XML. To use this example, pipe a command to a command:

python "search * | head 10" | python

Run a simple oneshot search

The example is a simpler search example that just runs a search and returns results in the same call (this example hard-codes --exec_mode=oneshot). This example also reformats the XML results automatically. Here's how to search everything and return the first 10 results:

python "search * | head 10"

Work with search jobs

The example works with search jobs and perform different actions on them. For example, here's how to list your current search jobs:

python list

Here's how to display the properties of a specific job—you specify either the index value or search ID:

python list @4              # Print the fourth job in the queue
python list 1354642929.43   # Print a job specified by a search ID

Display Splunk system info

The example takes no arguments and simply prints system information about your Splunk instance to the console:


List your data inputs

The example enumerates the data inputs that have been set up for your Splunk Enterprise instance, and the properties of each:


Upload a data input file

The example adds a data input file. This command uploads the file (from the Splunk Tutorial) to the "test_index" index:

python /Users/myusername/Downloads/ --index="test_index"

Work with data indexes

The example works with the indexes that store your Splunk data. When you run the example with the list argument alone, it lists all indexes along with the number of events in each:

python list

You can also specify an action (create, clean, enable, disable, reload, update, list) to perform on a specific index. This shows how to list properties for the "test" index:

python list test

This shows how to clean the summary and test indexes:

python clean summary test

Display events as they are indexed

The example prints events to the console as they are indexed (the "tail" of a real-time search). For example, this command prints incoming events to the "twitter" index:

python "search index=twitter"

Generate sample events for testing

The example is a simple event generator that writes 50,000 short time-stamped events to a specified index. You can also specify the way the data is received: over an HTTP connection (stream, the default), over a TCP connection (TCP), or over individually-constructed HTTP connections per event (submit).

For example, this adds events to the "main" index over a TCP connection:

python main tcp

Use for testing when you need a bunch of events. For example, you can use with the example to display events as they are received in a "test" index. Open two command-prompt windows. In one, enter:

python "search index=test"

Then, in the other window, enter:

python test

Work with Splunk configuration files

The example lets you work with Splunk configuration (.conf) files. This command lists the .conf files in $SPLUNK_HOME/etc/system and $SPLUNK_HOME/etc/users (depending on your user account permissions):

python list

To display the content of a specific .conf file, such as inputs.conf:

python list inputs

List Splunk server logging categories

The example lists the Splunk server logging categories and their current logging level:


Run GET commands for Splunk REST API endpoints

The example runs a GET command for any endpoint in the Splunk REST API, and returns the Atom Feed response. These examples use two different endpoints:

python /services/data/indexes

python /services/saved/searches

Run Splunk's interactive Python interpreter

The example starts an interactive Python interpreter for the Splunk SDK for Python. This interpreter is similar to using the regular Python interpreter, but this Splunk version automatically logs in and connects to your Splunk instance (taking your login credentials from the .splunkrc file):


Once the interpreter is running, you can enter single Python commands. For example, next you could run a simple search:

print"search * | head 10")

Or, list the Splunk apps that are installed:

for app in service.apps: print

To quit the interpreter press Ctrl+D, or enter:


List saved event types

The example simply lists your saved event types, which are saved searches that do not include a pipe operator or a subsearch.

This lists all of your saved event types:


List fired alerts

The example lists a summary of the alerts that were fired on the server.

This lists all of your fired alerts:


Explore the REST API

The example, which is located in the /splunk-sdk-python/examples/explorer directory, lets you interact with all of the endpoints in the Splunk Enterprise REST API from a web page interface. You can select an endpoint, set parameters, and submit the request. If successful, the web page displays the Atom Feed response to the REST API call.

To run this example and launch the explorer.html page in a web browser, open a command prompt in the /splunk-sdk-python/examples/explorer directory and enter:


Export indexed events to a file

The example, which is located in the /splunk-sdk-python/examples/export directory, takes events from an index and saves them to a file, export.out, in the same directory. You can export events in XML, CSV, or JSON format.

This exports the main index:

python --index=main

The SDK includes two examples for working with saved searches:

  • The example, which is located in the /splunk-sdk-python/examples directory, simply lists your saved searches.
  • The example, which is located in the /splunk-sdk-python/examples/saved_search directory, lets you list your saved searches, but also lets you view properties for a specific saved search and delete a saved search.

From the /splunk-sdk-python/examples directory, this lists all of your saved searches in an easy-to-read format:


This also lists saved searches, but in the Atom Feed format:

python saved_search/ list-all

You can also list the details of one specific search (run one of the previous commands to retrieve names):

python saved_search/ list --name="Name of a saved search"

This deletes a saved search:

python saved_search/ --operation="delete" --name="Name of a saved search"