We're using "verification" and "validation" in the same meaning here - so Fiona's answer was actually in line with what you are asking. Let me try and clarify some of the difficulties here so that we're on the same page, and hopefully it will explain why we don't have a good answer to your question. As you know, Splunk allows administrators to set any certificates they so desire. The notion of a "valid SSL cert" is in the eyes of the beholder. For example, there is nothing "invalid" or "unverifiable" with the default certificates that ship with Splunk - they are simply self-signed, meaning they won't be recognized by any system that does not have the Splunk CA certificate installed in its own root trust chain. Additionally, it's very common for our customers to use their own internal CAs and thus internal self-signed certificates, which would also fail "validation"/"verification", as they are not in the trust chain. When you say you want to verify the certificate, it can be done in one of two ways: Use the normally trusted certificates (e.g. what httplib2 does by default) to verify against, which will fail if you have a self-signed certificate and did not add it to that list, even though from a customer's perspective there is nothing wrong with that cert. Pass the certificate to validate against, which would mean you need to know what that certificate is (but then you can ensure you're talking to the right server). I think (1) is fraught with peril, as you'll continuously run into cases where a certificate is "just fine", but you'll mark it as invalid. I think (2) is the correct thing to do, but it means you need to be able to know which certificates to verify against, which means you need to read that from the Splunk configuration. This is also fraught with peril, for a couple of reasons: you need to access this configuration from disk, as I do not believe it's exposed via REST (though I am not sure, it may be in /server/settings). You'll then need to be able to access those certificates (or at least the CA), which again may not be possible (and even if it is possible today may not always be possible) In short, I think the best way for you to do this would be: Have a parameter in your app (e.g. in your conf files) that enables/disables certificate validation. Have a parameter (or set of parameters) that the administrator can specify what certificates to validate against, and then you can do that validation properly. Hopefully this makes sense. P.S. I used "validate" and "verify" interchangeably here. ... View more

Great - once you have the repro, ping me. My email is my username here @splunk.com 🙂 ... View more

Thanks Wes - this is useful information. Can you try one more thing, which is to do the export as XML and not as CSV from curl? I imagine it'll be the same, but I just want to double check. We have no known issue with duplicates in the SDK, but that doesn't mean there isn't one. I tried to reproduce this on a large-ish dataset (>1M records), but no luck, with similar code. ... View more

If you just run the same search via curl (export and everything) and dump it all into a file (until it completes), do you also see the duplicates there? My main question is whether we're seeing duplicates that the SDK is generating due to some error or whether Splunk is returning unexpected results. By the way, is event_id something in your data, or something you are seeing Splunk return? Finally, keep in mind that it's not necessarily correct to compare what you see in the UI vs what you see from the SDK - the UI passes in quite a few different parameters that the SDK does not by default (for a variety of reasons), and the UI is not running an export search. ... View more

You can either use the regular Django Form framework, or you can just regular HTML forms and have it POST to a specific URL, and on the Django side you would configure urls.py to have a proper handler for that URL, and you would get the POST variables there. Using the above, you would gain access to the POST variables on the Python side (in Django), and would be able to modify them. For debugging, you can either use logging (and it will go to django_service.log in var/logs/splunk), or you can attach a Python debugger (e.g. from PyCharm) to the Python application. You would use regular Django templates here - you would have any variables on the Python side, and would just give it to the template and render them. ... View more

What happens if you make the same request using curl? Also, likely there is some output together with the 400 status code - can you post it here? ... View more

Can you share the code you have that you are using? I want to make sure I am following what you are doing. ... View more

OK - Service.connect is used to connect to the management port (the REST API) - so you should use that port. Let me know if that makes sense. ... View more

When you say a "tcp receiver port of 9997" - is this a TCP input port (from inputs.conf) or the management port for Splunk (i.e. the default being 8089)? ... View more

I explained my question poorly - I apologize. What search are you running (i.e. what is the search string)? How are you executing it (are you running it through the UI and getting the , or running it through the API)? If it is from the API, what code is running it? The details you gave above only talk about how you are requesting results from a specific search, not about how that search was created, which is what we need to know. ... View more

What search are you running? How are you running it? If it is from the REST API, what parameters are you sending to the REST API? ... View more

My previous comment here wasn't quite accurate, so I removed it (since I can't edit it). ... View more

I believe the issue is "caused" by the REST API rather than the SDK. The specific reason is roughly this: when search results are stored on disk as .csv.gz files (essentially, compressed CSVs), they are not seekable. So when you ask for offset 100K, for example, we will unpack the file until we find that offset, and then return 10/100/1000 results (however many you specified in count). When you then try and get offset 100010, we will expand it again, seek to that offset, and so forth. So as get into larger offsets, it will take longer and longer to do. To put it concisely: this specific API is not a good fit for exporting the entire result set. To do that, the best way is to use the /export API endpoint, for which there is an equivalent export function in the Python SDK. This will stream the results to you as they become availabe, rather than you having to iterate over them through disk. We're working on an example for dev.splunk.com to show how to use export , though it should be pretty similar to what you have above, just with a single ResultsReader . ... View more

It is certainly possible, and the regular examples should work. I don't have an example handy right now, but if I find one I'll update my answer. ... View more

We don't have this functionality available out of the box at the moment, but it is definitely something we are pursuing and want to help developers be able to compile and minify their application code. You should also add this as a request to our UserVoice. ... View more

The cache property is really only used for fetching the job - it has no impact on search creation. A real time search has no end, and thus will never finish on its own (something needs to cancel it). We can do a couple of things: 1. Pause a real time search on page navigation (this is what the search page does) 2. Set the auto_cancel property on the real time search to the same as the cache value. Happy to hear more suggestions. ... View more

What OS are you running on? Also, the UI ends up using the API as well, so it is odd it is much faster in the UI. In the search inspector for both jobs (ones started from the UI and ones from the API), do you see any marked difference, especially in the 'request' field (which should be a JSON dictionary)? ... View more

If you want the RT search to cancel after some period of inactivity, just set the auto_cancel parameter on the manager. You can see it in action here: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#POST_search.2Fjobs (note that while on the page your search won't cancel as we ping it). (in two comments due to character limits) ... View more

When do you expect it to cancel? A real time search will continue running even when you navigate away from the page, due to the fact that it is never done (as I noted above). Setting cache=False will just mean that if you change a setting on the manager (e.g. change the query) we will cancel the previous search. ... View more

You should be able to do this using any regular JS slideshow library. You can just create both charts and tell the library to toggle between them. ... View more

@crt86: did you get what you need from the below tutorials? You can also look at the Web Framework Toolkit for samples of custom views. ... View more

@jmurdza: one option is to look at the search properties themselves. For example, if you subscribe to the search:done event on the search manager, you'll get notified when you the search is done including the job properties. With those, you can look at the earliestTime, latestTime, indexEarliestTime and indexLatestTime to obtain the information you want. Note that not all of them are guaranteed to be there. For example, with an "All time" search, 'latestTime' will not be present as it is synonymous to "now". ... View more