We have a kludgy access log format. It certainly isn’t standard. At any rate, the out of the box transforms.conf can’t handle it. Rather than change that, I elected to split the lines on the fly; not as fast, but it’s an option. This splits the line, delimited by tab, into an array that is then filtered only on an HTTP response code of 404.<\/p>\n
\r\nimport splunklib.client as client\r\nimport splunklib.results as results\r\n\r\nservice = client.connect(host=\"*******\",port=\"8089\",username=\"*****\",password=\"******\")\r\n\r\nrr = results.ResultsReader(service.jobs.oneshot(\"\"\"\r\nsearch host=\\\"cmhlpecomweb*\\\" sourcetype=access_combined | \r\n fields _raw | \r\n eval temp=split(_raw,\\\"\\t\\\") | \r\n eval response_code=mvindex(temp,7) | \r\n where response_code = 404\r\n\"\"\",\r\n **{\"earliest_time\":\"2017-04-16T03:18:00.000-04:00\",\r\n \"latest_time\":\"2017-04-16T03:22:00.000-04:00\",\r\n \"count\": 0}))\r\n\r\nfor result in rr:\r\n print result['_raw']\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"We have a kludgy access log format. It certainly isn’t standard. At any rate, the out of the box transforms.conf can’t handle it. Rather than change that, I elected to split the lines on the fly; not as fast, but…<\/p>\n