Splunk Fetcher Reference#
Environment variables#
- SPLUNK_HOST#
The hostname of the Splunk server.
- SPLUNK_PORT#
The port number used to connect with the Splunk server.
Default is 8089
Note
Make sure you use the port value for the API not for the UI because the values may be different.
- SPLUNK_USERNAME#
A username that have access to the Splunk server
- SPLUNK_PASSWORD#
The password of the user.
- SPLUNK_APP#
The Splunk app that the fetcher will query data from.
Note
The app is a part of the URL, being identified by the
/app/SPLUNK_APP
path e.g. inhttps://splunk.mycompany.com/en-US/app/your_splunk_app/search?...
theSPLUNK_APP
isyour_splunk_app
.
- SPLUNK_QUERY#
The query that defines what data to fetch.
- SPLUNK_FILE#
A file that contains the Splunk query. This variable is ignored if you have the
SPLUNK_QUERY
already set to define the query.
- SPLUNK_OUTPUT_FORMAT#
(Optional) The data format to be fetched from the Splunk server.
Allowed values:
json
csv
Default is json
- SPLUNK_VALIDATE_RESULTS#
(Optional) A flag to enable the validation of the fetched data. It verifies whether the number of locally retrieved results matches the data from the online source. {WARNING} This flag is not available if the oneshot mode is enabled. Default is false
- SPLUNK_ONEQ_UPLOAD#
(Optional) A flag to enable uploading fetched data to the OneQ server. Default is false
Note
OneQ is a proprietary quality management tool. If you don’t have access to it, you can safely ignore this variable.
- SPLUNK_ONE_SHOT#
(Optional) A flag to enable a one shot search. This means that the search is not dispatched, but executed immediately. Default is false
- SPLUNK_START_TIME#
(Optional) The start time of the one shot search. Check the required syntax reference
Default is
SPLUNK_END_TIME
- 1 day
- SPLUNK_END_TIME#
(Optional) The end time of the one shot search. Check the required syntax reference
Default is now
- SPLUNK_RESULT_FILE#
(Optional) The name of the file to store the fetched data. The fetcher creates a file with this name in the evidence path.
Command line options#
The Splunk Fetcher is a small CLI that can be used to fetch data from Splunk via a search query. It can be called in a Yaku workflow with the splunk-fetcher command. The CLI of splunk-fetcher offers the following options (see also splunk-fetcher --help):
Usage: splunk-fetcher [OPTIONS]
Fetch Splunk query result as JSON or CSV
Options:
--version Output version information and exit.
--colors / --no-colors Enable or disable colors in output.
--debug Show debug log messages.
-q, --query TEXT Splunk query
--validate-results Validate the number of received results.
Does not work with one shot searches
-f, --file TEXT File that contains the Splunk query
-a, --app TEXT Splunk app name e.g. tamer_std_ods
[required]
-u, --username TEXT Splunk username [required]
-p, --password TEXT Splunk password [required]
-h, --host TEXT Splunk host
-P, --port INTEGER Splunk port
-o, --output-format [json|csv|xml]
Output format [default: json]
--force Force the overwrite of the output file
-r, --result-file TEXT Splunk result file
--oneq-upload Upload the result to OneQ
--animations / --no-animations Disable animations
--one-shot / --no-one-shot One shot search
--start-time TEXT Start time for one shot search e.g.
2021-01-01
--end-time TEXT End time for one shot search e.g. 2021-01-01
--help Show this message and exit.
When calling the CLI, you need to have the evidence_path
environment variable set. Moreover, if you do not provide any options, you will be prompted afterwards to provide the app name, username and password.