Splunk Fetcher Reference

Splunk Fetcher Reference#

Environment variables#

SPLUNK_HOST#

The hostname of the Splunk server.

SPLUNK_PORT#

The port number used to connect with the Splunk server.

Default is 8089

Note

Make sure you use the port value for the API not for the UI because the values may be different.

SPLUNK_USERNAME#

A username that have access to the Splunk server

SPLUNK_PASSWORD#

The password of the user.

SPLUNK_APP#

The Splunk app that the fetcher will query data from.

Note

The app is a part of the URL, being identified by the /app/SPLUNK_APPpath e.g. in https://splunk.mycompany.com/en-US/app/your_splunk_app/search?... the SPLUNK_APP is your_splunk_app.

SPLUNK_QUERY#

The query that defines what data to fetch.

SPLUNK_FILE#

A file that contains the Splunk query. This variable is ignored if you have the SPLUNK_QUERY already set to define the query.

SPLUNK_OUTPUT_FORMAT#

(Optional) The data format to be fetched from the Splunk server.

Allowed values:

  • json

  • csv

Default is json

SPLUNK_VALIDATE_RESULTS#

(Optional) A flag to enable the validation of the fetched data. It verifies whether the number of locally retrieved results matches the data from the online source. {WARNING} This flag is not available if the oneshot mode is enabled. Default is false

SPLUNK_ONEQ_UPLOAD#

(Optional) A flag to enable uploading fetched data to the OneQ server. Default is false

Note

OneQ is a proprietary quality management tool. If you don’t have access to it, you can safely ignore this variable.

SPLUNK_ONE_SHOT#

(Optional) A flag to enable a one shot search. This means that the search is not dispatched, but executed immediately. Default is false

SPLUNK_START_TIME#

(Optional) The start time of the one shot search. Check the required syntax reference

Default is SPLUNK_END_TIME - 1 day

SPLUNK_END_TIME#

(Optional) The end time of the one shot search. Check the required syntax reference

Default is now

SPLUNK_RESULT_FILE#

(Optional) The name of the file to store the fetched data. The fetcher creates a file with this name in the evidence path.

Command line options#

The Splunk Fetcher is a small CLI that can be used to fetch data from Splunk via a search query. It can be called in a Yaku workflow with the splunk-fetcher command. The CLI of splunk-fetcher offers the following options (see also splunk-fetcher --help):

Usage: splunk-fetcher [OPTIONS]

  Fetch Splunk query result as JSON or CSV

Options:
  --version                       Output version information and exit.
  --colors / --no-colors          Enable or disable colors in output.
  --debug                         Show debug log messages.
  -q, --query TEXT                Splunk query
  --validate-results              Validate the number of received results.
                                  Does not work with one shot searches
  -f, --file TEXT                 File that contains the Splunk query
  -a, --app TEXT                  Splunk app name e.g. tamer_std_ods
                                  [required]
  -u, --username TEXT             Splunk username  [required]
  -p, --password TEXT             Splunk password  [required]
  -h, --host TEXT                 Splunk host
  -P, --port INTEGER              Splunk port
  -o, --output-format [json|csv|xml]
                                  Output format  [default: json]
  --force                         Force the overwrite of the output file
  -r, --result-file TEXT          Splunk result file
  --oneq-upload                   Upload the result to OneQ
  --animations / --no-animations  Disable animations
  --one-shot / --no-one-shot      One shot search
  --start-time TEXT               Start time for one shot search e.g.
                                  2021-01-01
  --end-time TEXT                 End time for one shot search e.g. 2021-01-01
  --help                          Show this message and exit.

When calling the CLI, you need to have the evidence_path environment variable set. Moreover, if you do not provide any options, you will be prompted afterwards to provide the app name, username and password.