We needed this to understand the source of a large influx of requests for a given URI pattern.
import splunklib.client as client import splunklib.results as results service = client.connect(host="*******",port="8089",username="showard",password="************") job = """ search host=\"cmhlpecomweb*\" sourcetype=access_combined karlie-kloss | eval temp=split(_raw,\"\t\") | eval tm=mvindex(temp,13) | rex field=tm "(?\d+\.\d+\.\d+)" | stats count by ip | sort - count | head 50 """ rr = results.ResultsReader(service.jobs.oneshot(job,**{"earliest_time":"2017-04-04T11:00:00.000-04:00","latest_time":"2017-04-04T18:00:00.000-04:00","count": 0})) for result in rr: print result['ip'],result['count']