As I mentioned in the previous post, we are going to write a custom command that transforms search results into xml. Something like :
SearchResults::iterator it;
for (it = results.begin(); it != results.end(); ++it) {
SearchResult r = **it;
_output.append("<SearchResult>");
std::set<Str> allFields;
results.getAllKeys(allFields);
for (std::set<Str>::const_iterator sit = allFields.begin(); sit !=
allFields.end(); ++sit) {
sr_index_t index = results.getIndex(*sit);
// check all xml tags are constructed without whitespaces
if (r.exists(index)){
_output.append("<" + (*sit).trim() + ">");
_output.append(r.getValue(index));
_output.append("</" + (*sit).trim() + ">");
}
}
_output.append("</SearchResult>");
}
but Splunk already has xpath.py that makes event value valid xml i.e it makes <data>%s<data> where the innerxml is the value corresponding to _raw in the event. This is different from above.
There are data-structure to xml python recipes on the web such as Recipe #577268 here.
There's also another way described in the Splunk sdk as follows:
To use the reader, instantiate :class:`ResultsReader` on a search result stream
as follows:::
reader = ResultsReader(result_stream)
for item in reader:
print(item)
We try to do it this way :
rrajamani-mbp15r:splunkb rrajamani$ cat etc/system/local/commands.conf
[smplcmd]
filename = smplcmd.py
streaming = true
local = true
retainsevents = true
overrides_timeorder = false
supports_rawargs = true
# untested
#!/usr/bin/python
import splunk.Intersplunk as si
import time
if __name__ == '__main__':
try:
keywords,options = si.getKeywordsAndOptions()
results,dummyresults,settings = si.getOrganizedResults()
myxml = "<searchResults>"
fields = ["host", "source", "sourcetype", "_raw", "_time"]
outfield = options.get('outfield', 'xml')
for result in results:
element = "<searchResult>"
for i in fields:
field = options.get('field', str(i))
val = result.get(field, None)
if val != None:
element += "<" + str(field).strip() + ">" + str(val) + "</" + str(field).strip() + ">"
element += "/<searchResult>"
myxml += element
myxml += "</searchResults>"
result[outfield] = myxml
si.outputResults(results)
except Exception, e:
import traceback
stack = traceback.format_exc()
si.generateErrorResults("Error '%s'. %s" % (e, stack))
SearchResults::iterator it;
for (it = results.begin(); it != results.end(); ++it) {
SearchResult r = **it;
_output.append("<SearchResult>");
std::set<Str> allFields;
results.getAllKeys(allFields);
for (std::set<Str>::const_iterator sit = allFields.begin(); sit !=
allFields.end(); ++sit) {
sr_index_t index = results.getIndex(*sit);
// check all xml tags are constructed without whitespaces
if (r.exists(index)){
_output.append("<" + (*sit).trim() + ">");
_output.append(r.getValue(index));
_output.append("</" + (*sit).trim() + ">");
}
}
_output.append("</SearchResult>");
}
but Splunk already has xpath.py that makes event value valid xml i.e it makes <data>%s<data> where the innerxml is the value corresponding to _raw in the event. This is different from above.
There are data-structure to xml python recipes on the web such as Recipe #577268 here.
There's also another way described in the Splunk sdk as follows:
To use the reader, instantiate :class:`ResultsReader` on a search result stream
as follows:::
reader = ResultsReader(result_stream)
for item in reader:
print(item)
We try to do it this way :
rrajamani-mbp15r:splunkb rrajamani$ cat etc/system/local/commands.conf
[smplcmd]
filename = smplcmd.py
streaming = true
local = true
retainsevents = true
overrides_timeorder = false
supports_rawargs = true
# untested
#!/usr/bin/python
import splunk.Intersplunk as si
import time
if __name__ == '__main__':
try:
keywords,options = si.getKeywordsAndOptions()
results,dummyresults,settings = si.getOrganizedResults()
myxml = "<searchResults>"
fields = ["host", "source", "sourcetype", "_raw", "_time"]
outfield = options.get('outfield', 'xml')
for result in results:
element = "<searchResult>"
for i in fields:
field = options.get('field', str(i))
val = result.get(field, None)
if val != None:
element += "<" + str(field).strip() + ">" + str(val) + "</" + str(field).strip() + ">"
element += "/<searchResult>"
myxml += element
myxml += "</searchResults>"
result[outfield] = myxml
si.outputResults(results)
except Exception, e:
import traceback
stack = traceback.format_exc()
si.generateErrorResults("Error '%s'. %s" % (e, stack))
