msticpy.data.drivers.splunk_driver module

Splunk Driver class.

class msticpy.data.drivers.splunk_driver.SplunkDriver(**kwargs)

Bases: DriverBase

Driver to connect and query from Splunk.

Instantiate Splunk Driver.

add_query_filter(name, query_filter)

Add an expression to the query attach filter.

connect(connection_str: Optional[str] = None, **kwargs)

Connect to Splunk via splunk-sdk.

Parameters

  • connection_str (Optional[str], optional) – Connection string with Splunk connection parameters

  • kwargs – Connection parameters can be supplied as keyword parameters.

Notes

Default configuration is read from the DataProviders/Splunk section of msticpyconfig.yaml, if available.

property connected: bool

Return true if at least one connection has been made.

Returns

True if a successful connection has been made.

Return type

bool

Notes

This does not guarantee that the last data source connection was successful. It is a best effort to track whether the provider has made at least one successful authentication.

property driver_queries: Iterable[Dict[str, Any]]

Return dynamic queries available on connection to service.

Returns

List of queries with properties: “name”, “query”, “container” and (optionally) “description”

Return type

Iterable[Dict[str, Any]]

Raises

MsticpyNotConnectedError – If called before driver is connected.

static get_http_timeout(**kwargs)

Get http timeout from settings or kwargs.

property instance: Optional[str]

Return instance name, if one is set.

Returns

The name of driver instance or None if the driver does not support multiple instances

Return type

Optional[str]

property loaded: bool

Return true if the provider is loaded.

Returns

True if the provider is loaded.

Return type

bool

Notes

This is not relevant for some providers.

query(query: str, query_source: Optional[QuerySource] = None, **kwargs) Union[DataFrame, Any]

Execute splunk query and retrieve results via OneShot or async search mode.

Parameters

  • query (str) – Splunk query to execute via OneShot or async search mode

  • query_source (QuerySource) – The query definition object

  • count (int, optional) – Passed to Splunk oneshot method if oneshot is True, by default, 0

  • oneshot (bool, optional) – Set to True for oneshot (blocking) mode, by default False

Returns

Query results in a dataframe. or query response if an error.

Return type

Union[pd.DataFrame, Any]

property query_attach_spec: Dict[str, Set[str]]

Parameters that determine whether a query is relevant for the driver.

query_with_results(query: str, **kwargs) Tuple[DataFrame, Any]

Execute query string and return DataFrame of results.

Parameters

query (str) – Query to execute against splunk instance.

Returns

A DataFrame (if successful) or the underlying provider result if an error occurs.

Return type

Union[pd.DataFrame,Any]

property schema: Dict[str, Dict]

Return current data schema of connection.

Returns

Data schema of current connection.

Return type

Dict[str, Dict]

property service_queries: Tuple[Dict[str, str], str]

Return dynamic queries available on connection to service.

Returns

Dictionary of query_name, query_text. Name of container to add queries to.

Return type

Tuple[Dict[str, str], str]