|
| 1 | +# Splunk SDK Python - AI Assistant Guide |
| 2 | + |
| 3 | +This guide helps AI coding assistants understand the key patterns and practices of the Splunk SDK for Python codebase. |
| 4 | + |
| 5 | +## Architecture Overview |
| 6 | + |
| 7 | +The SDK is organized into several key modules: |
| 8 | + |
| 9 | +- `splunklib.client`: Main interface for interacting with Splunk's REST API |
| 10 | +- `splunklib.binding`: Low-level HTTP and authentication handling |
| 11 | +- `splunklib.data`: XML/Atom feed parsing utilities |
| 12 | +- `splunklib.modularinput`: Framework for creating Splunk modular inputs |
| 13 | +- `splunklib.searchcommands`: Framework for custom search commands |
| 14 | + |
| 15 | +### Core Patterns |
| 16 | + |
| 17 | +1. Service Connection: |
| 18 | + |
| 19 | +```python |
| 20 | +import splunklib.client as client |
| 21 | +service = client.connect( |
| 22 | + host='localhost', |
| 23 | + port=8089, |
| 24 | + username='admin', |
| 25 | + password='changeme' |
| 26 | + # OR splunkToken=<bearer_token> |
| 27 | + # OR token=<session_key> |
| 28 | +) |
| 29 | +``` |
| 30 | + |
| 31 | +2. Resource Collections Pattern: |
| 32 | + |
| 33 | +- All Splunk resources (apps, jobs, searches etc.) are accessed via collections |
| 34 | +- Collections return Entity objects with attribute access |
| 35 | +- Example: |
| 36 | + |
| 37 | +```python |
| 38 | +apps = service.apps |
| 39 | +my_app = apps.create('my_app') |
| 40 | +print(my_app['author']) # Or: my_app.author |
| 41 | +``` |
| 42 | + |
| 43 | +3. XML Data Handling: |
| 44 | + |
| 45 | +- Use `splunklib.data.load()` for parsing Splunk's XML responses |
| 46 | +- Include proper XML namespace handling as shown in `data.py` |
| 47 | + |
| 48 | +## Development Workflows |
| 49 | + |
| 50 | +1. Testing: |
| 51 | + |
| 52 | +```bash |
| 53 | +# Run all tests with Docker |
| 54 | +make up SPLUNK_VERSION=9.2 |
| 55 | +make wait_up |
| 56 | +make test |
| 57 | +make down |
| 58 | + |
| 59 | +# Run specific test |
| 60 | +make test_specific TEST=tests/test_binding.py |
| 61 | +``` |
| 62 | + |
| 63 | +2. Environment Setup: |
| 64 | + |
| 65 | +- Required: Python 3.7, 3.9, or 3.13 |
| 66 | +- Create `.env` file for test credentials (see README template) |
| 67 | +- Set `PYTHONPATH` to include SDK root |
| 68 | + |
| 69 | +## Project-Specific Conventions |
| 70 | + |
| 71 | +1. Search Command Development: |
| 72 | + |
| 73 | +- Use `self.add_field(record, fieldname, value)` to modify records |
| 74 | +- Never modify record dictionaries directly |
| 75 | +- Example: |
| 76 | + |
| 77 | +```python |
| 78 | +class CustomStreamingCommand(StreamingCommand): |
| 79 | + def stream(self, records): |
| 80 | + for record in records: |
| 81 | + self.add_field(record, "new_field", "value") |
| 82 | + yield record |
| 83 | +``` |
| 84 | + |
| 85 | +2. Modular Input Development: |
| 86 | + |
| 87 | +- Access metadata via InputDefinition in stream_events() |
| 88 | +- Use `gen_record()` for generating events in custom commands |
| 89 | + |
| 90 | +## Key Integration Points |
| 91 | + |
| 92 | +1. Authentication Methods: |
| 93 | + |
| 94 | +- Username/password |
| 95 | +- Bearer token |
| 96 | +- Session key |
| 97 | +- See connection examples in README |
| 98 | + |
| 99 | +2. Test Dependencies: |
| 100 | + |
| 101 | +- Requires [SDK App Collection](https://github.com/splunk/sdk-app-collection) |
| 102 | +- Clean Splunk instance recommended (disable \*NIX/Windows apps) |
| 103 | +- Never test against production instances |
| 104 | + |
| 105 | +## Reference Files |
| 106 | + |
| 107 | +- `splunklib/client.py`: Core service and entity implementations |
| 108 | +- `splunklib/data.py`: XML parsing patterns |
| 109 | +- `tests/README.md`: Testing configuration and practices |
| 110 | +- `.env.template`: Environment variable template |
| 111 | + |
| 112 | +For more details, consult the [Developer Portal Reference](https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/). |
0 commit comments