splank 0.1.0__tar.gz

splank-0.1.0/PKG-INFO

@@ -0,0 +1,89 @@
+Metadata-Version: 2.4
+Name: splank
+Version: 0.1.0
+Summary: CLI tool for querying Splunk logs. Search indexes, discover fields, and manage search jobs.
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/vivainio/splank
+Project-URL: Repository, https://github.com/vivainio/splank
+Project-URL: Issues, https://github.com/vivainio/splank/issues
+Keywords: splunk,cli,logs,search,observability,siem
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: System :: Logging
+Classifier: Topic :: Utilities
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: platformdirs>=4.0.0
+
+# Splank
+
+CLI tool for querying Splunk logs.
+
+## Setup
+
+```bash
+splank init
+```
+
+This creates `~/.config/splank/credentials.toml` with your Splunk credentials.
+
+### Configuration
+
+The credentials file supports multiple profiles:
+
+```toml
+default_profile = "prod"
+
+[profiles.prod]
+host = "splunk.example.com"
+port = 8089
+token = "your-token-here"
+verify_ssl = true
+
+[profiles.qa]
+host = "splunk-qa.example.com"
+port = 8089
+username = "admin"
+password = "changeme"
+verify_ssl = true
+```
+
+## Usage
+
+```bash
+# Search (uses default profile)
+splank search 'index=main Level=ERROR' -m 10
+
+# Search using specific profile
+splank -p qa search 'index=main Level=ERROR'
+
+# Discover indexes
+splank discover 'web*'
+
+# Discover with field info
+splank discover 'app-*' --fields -o DISCOVERY.md
+
+# Manage jobs
+splank jobs
+splank clear
+```
+
+## Commands
+
+- `init` - Create credentials file
+- `search` - Execute SPL query
+- `discover` - Discover available indexes
+- `jobs` - List search jobs
+- `clear` - Clear my search jobs
+
+## Options
+
+- `-p, --profile` - Splunk profile to use (e.g., 'qa', 'prod')
+- `-V, --version` - Show version

splank-0.1.0/README.md

@@ -0,0 +1,65 @@
+# Splank
+
+CLI tool for querying Splunk logs.
+
+## Setup
+
+```bash
+splank init
+```
+
+This creates `~/.config/splank/credentials.toml` with your Splunk credentials.
+
+### Configuration
+
+The credentials file supports multiple profiles:
+
+```toml
+default_profile = "prod"
+
+[profiles.prod]
+host = "splunk.example.com"
+port = 8089
+token = "your-token-here"
+verify_ssl = true
+
+[profiles.qa]
+host = "splunk-qa.example.com"
+port = 8089
+username = "admin"
+password = "changeme"
+verify_ssl = true
+```
+
+## Usage
+
+```bash
+# Search (uses default profile)
+splank search 'index=main Level=ERROR' -m 10
+
+# Search using specific profile
+splank -p qa search 'index=main Level=ERROR'
+
+# Discover indexes
+splank discover 'web*'
+
+# Discover with field info
+splank discover 'app-*' --fields -o DISCOVERY.md
+
+# Manage jobs
+splank jobs
+splank clear
+```
+
+## Commands
+
+- `init` - Create credentials file
+- `search` - Execute SPL query
+- `discover` - Discover available indexes
+- `jobs` - List search jobs
+- `clear` - Clear my search jobs
+
+## Options
+
+- `-p, --profile` - Splunk profile to use (e.g., 'qa', 'prod')
+- `-V, --version` - Show version

splank-0.1.0/pyproject.toml

@@ -0,0 +1,35 @@
+[project]
+name = "splank"
+version = "0.1.0"
+description = "CLI tool for querying Splunk logs. Search indexes, discover fields, and manage search jobs."
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.11"
+keywords = ["splunk", "cli", "logs", "search", "observability", "siem"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "Intended Audience :: System Administrators",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: System :: Logging",
+    "Topic :: Utilities",
+]
+dependencies = [
+    "platformdirs>=4.0.0",
+]
+
+[project.urls]
+Homepage = "https://github.com/vivainio/splank"
+Repository = "https://github.com/vivainio/splank"
+Issues = "https://github.com/vivainio/splank/issues"
+
+[project.scripts]
+splank = "splank.cli:main"
+
+[tool.uv]
+package = true

splank-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

splank-0.1.0/splank/__init__.py

@@ -0,0 +1,32 @@
+"""Splank - CLI tool for querying Splunk logs."""
+
+from importlib.metadata import version
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from splank.client import SplunkClient
+
+__version__ = version("splank")
+
+
+def client(profile: str | None = None) -> "SplunkClient":
+    """Get an authenticated Splunk client.
+
+    Returns an authenticated SplunkClient instance using credentials
+    from ~/.config/splank/credentials.toml.
+
+    Args:
+        profile: Profile name (e.g., 'qa', 'prod'). If None, uses default profile.
+
+    Usage:
+        import splank
+        client = splank.client()  # uses default profile
+        client = splank.client("qa")  # uses qa profile
+        results = list(client.search("index=main | head 10"))
+
+    Returns:
+        SplunkClient: Authenticated Splunk client
+    """
+    from splank.config import get_client
+
+    return get_client(profile)

splank-0.1.0/splank/__main__.py

@@ -0,0 +1,6 @@
+"""Entry point for python -m splank."""
+
+from splank.cli import main
+
+if __name__ == "__main__":
+    main()

splank-0.1.0/splank/cli.py

@@ -0,0 +1,439 @@
+"""Splank CLI - Main entry point."""
+
+import argparse
+import csv
+import fnmatch
+import json
+import sys
+from typing import Iterator
+
+from splank import __version__
+from splank.config import get_client, init_config
+
+
+def output_json(results: list[dict], file: str | None = None) -> None:
+    """Output results as JSON."""
+    output = json.dumps(results, indent=2)
+    if file:
+        with open(file, "w") as f:
+            f.write(output)
+    else:
+        print(output)
+
+
+def output_csv(results: list[dict], file: str | None = None) -> None:
+    """Output results as CSV."""
+    if not results:
+        return
+
+    # Get all unique fields
+    fields: set[str] = set()
+    for row in results:
+        fields.update(row.keys())
+    sorted_fields = sorted(fields)
+
+    if file:
+        f = open(file, "w", newline="")
+    else:
+        f = sys.stdout
+
+    writer = csv.DictWriter(f, fieldnames=sorted_fields)
+    writer.writeheader()
+    writer.writerows(results)
+
+    if file:
+        f.close()
+
+
+def output_table_streaming(results_iter: Iterator[dict]) -> None:
+    """Output results as a simple table, streaming rows as they arrive."""
+    fields: list[str] | None = None
+    widths: dict[str, int] | None = None
+    buffer: list[dict] = []
+    header_printed = False
+
+    for row in results_iter:
+        if fields is None:
+            # First row - determine fields from it
+            fields = sorted(row.keys())
+            widths = {f: max(len(f), 10) for f in fields}
+
+        # Update widths and buffer until we have enough to print header
+        if not header_printed:
+            buffer.append(row)
+            for f in fields:
+                val = str(row.get(f, ""))
+                widths[f] = max(widths[f], min(len(val), 50))
+
+            # Print header after first few rows to get better column widths
+            if len(buffer) >= 5:
+                header = " | ".join(
+                    f.ljust(widths[f])[: widths[f]] for f in fields
+                )
+                print(header)
+                print("-" * len(header))
+                header_printed = True
+                for buffered_row in buffer:
+                    line = " | ".join(
+                        str(buffered_row.get(f, "")).ljust(widths[f])[: widths[f]]
+                        for f in fields
+                    )
+                    print(line)
+                buffer = []
+        else:
+            # Stream directly
+            line = " | ".join(
+                str(row.get(f, "")).ljust(widths[f])[: widths[f]] for f in fields
+            )
+            print(line)
+
+    # Print any remaining buffered rows
+    if buffer:
+        if fields and widths:
+            header = " | ".join(
+                f.ljust(widths[f])[: widths[f]] for f in fields
+            )
+            print(header)
+            print("-" * len(header))
+            for row in buffer:
+                line = " | ".join(
+                    str(row.get(f, "")).ljust(widths[f])[: widths[f]] for f in fields
+                )
+                print(line)
+    elif fields is None:
+        print("No results")
+
+
+def cmd_init(args: argparse.Namespace) -> None:
+    """Initialize credentials file."""
+    init_config()
+
+
+def cmd_search(args: argparse.Namespace) -> None:
+    """Execute a search query."""
+    client = get_client(args.profile)
+
+    use_streaming = args.format == "table" and not args.output
+
+    results = client.search(
+        query=args.query,
+        earliest=args.earliest,
+        latest=args.latest,
+        max_results=args.max_results,
+        stream=use_streaming,
+    )
+
+    if args.format == "json":
+        output_json(list(results), args.output)
+    elif args.format == "csv":
+        output_csv(list(results), args.output)
+    else:
+        output_table_streaming(results)
+
+
+def cmd_clear(args: argparse.Namespace) -> None:
+    """Clear search jobs to free quota."""
+    client = get_client(args.profile)
+
+    # List user's jobs
+    jobs = client.list_jobs(count=100)
+
+    # Filter to non-scheduler jobs (user's own jobs)
+    my_jobs = [
+        j for j in jobs if not j["content"].get("sid", "").startswith("scheduler_")
+    ]
+
+    if not my_jobs:
+        print("No jobs to clear.")
+        return
+
+    deleted = 0
+    for job in my_jobs:
+        sid = job["content"]["sid"]
+        try:
+            client.delete_job(sid)
+            deleted += 1
+        except Exception:
+            pass
+
+    print(f"Cleared {deleted} job(s).")
+
+
+def cmd_discover(args: argparse.Namespace) -> None:
+    """Discover available indexes via search."""
+    client = get_client(args.profile)
+
+    # Use eventcount to discover all searchable indexes (including federated)
+    print("Discovering indexes...", file=sys.stderr)
+    results = list(
+        client.search(
+            "| eventcount summarize=false index=*", earliest="-24h", max_results=1000
+        )
+    )
+
+    # Dedupe and sum counts across indexers
+    index_counts: dict[str, int] = {}
+    for row in results:
+        name = row.get("index", "")
+        count = int(row.get("count", 0))
+        index_counts[name] = max(index_counts.get(name, 0), count)
+
+    # Filter indexes
+    indexes: list[tuple[str, int]] = []
+    for name in sorted(index_counts.keys()):
+        if not args.all and name.startswith(("_", "history", "summary")):
+            continue
+        if args.patterns:
+            if not any(fnmatch.fnmatch(name, p) for p in args.patterns):
+                continue
+        indexes.append((name, index_counts[name]))
+
+    if not args.fields:
+        # Simple list mode
+        for name, count in indexes:
+            print(f"{name:40} {count:>12} events")
+        return
+
+    # Detailed mode with fields - output markdown
+    output = ["# Splunk Index Discovery", ""]
+
+    for name, count in indexes:
+        print(f"Discovering fields for {name}...", file=sys.stderr)
+        output.append(f"## {name}")
+        output.append(f"- **Events (24h):** {count:,}")
+
+        # Get sourcetypes
+        try:
+            st_results = list(
+                client.search(
+                    f"index={name} | stats count by sourcetype | sort -count",
+                    earliest="-24h",
+                    max_results=20,
+                )
+            )
+            if st_results:
+                sourcetypes = [r.get("sourcetype", "") for r in st_results]
+                output.append(f"- **Sourcetypes:** {', '.join(sourcetypes)}")
+        except Exception:
+            pass
+
+        # Get fields using fieldsummary
+        try:
+            field_results = list(
+                client.search(
+                    f"index={name} | head 1000 | fieldsummary | where count > 100 | sort -count | head 30",
+                    earliest="-24h",
+                    max_results=50,
+                )
+            )
+            if field_results:
+                output.append("")
+                output.append("### Fields")
+                output.append("")
+                # Skip internal fields
+                skip_fields = {
+                    "date_hour",
+                    "date_mday",
+                    "date_minute",
+                    "date_month",
+                    "date_second",
+                    "date_wday",
+                    "date_year",
+                    "date_zone",
+                    "punct",
+                    "timestartpos",
+                    "timeendpos",
+                    "linecount",
+                    "index",
+                    "splunk_server",
+                }
+                fields = [
+                    f.get("field", "")
+                    for f in field_results
+                    if f.get("field", "") not in skip_fields
+                ]
+                output.append(", ".join(f"`{f}`" for f in fields))
+
+                # Get sample values for interesting fields
+                interesting = {
+                    "Level",
+                    "level",
+                    "severity",
+                    "status",
+                    "sourcetype",
+                    "host",
+                    "TenantType",
+                    "Environment",
+                    "environment",
+                    "env",
+                    "Region",
+                    "region",
+                    "cluster",
+                    "Cluster",
+                    "cluster_name",
+                    "ClusterName",
+                }
+                found_interesting = [f for f in fields if f in interesting]
+                if found_interesting:
+                    output.append("")
+                    output.append("### Sample Values")
+                    output.append("")
+                    # Get a few sample events
+                    try:
+                        sample_events = list(
+                            client.search(
+                                f"index={name} | head 100",
+                                earliest="-1h",
+                                max_results=100,
+                            )
+                        )
+                        for field in found_interesting:
+                            seen: set[str] = set()
+                            for evt in sample_events:
+                                val = str(evt.get(field, "")).strip()[:50]
+                                if val:
+                                    seen.add(val)
+                                if len(seen) >= 5:
+                                    break
+                            if seen:
+                                output.append(
+                                    f"- **{field}:** {', '.join(f'`{s}`' for s in sorted(seen))}"
+                                )
+                    except Exception:
+                        pass
+        except Exception as e:
+            output.append(f"*Error getting fields: {e}*")
+
+        output.append("")
+
+    # Write output
+    md_content = "\n".join(output)
+    if args.output:
+        with open(args.output, "w") as f:
+            f.write(md_content)
+        print(f"Written to {args.output}", file=sys.stderr)
+    else:
+        print(md_content)
+
+
+def cmd_jobs(args: argparse.Namespace) -> None:
+    """List search jobs."""
+    client = get_client(args.profile)
+
+    jobs = client.list_jobs(count=50)
+
+    if args.mine:
+        jobs = [
+            j for j in jobs if not j["content"].get("sid", "").startswith("scheduler_")
+        ]
+
+    if not jobs:
+        print("No jobs found.")
+        return
+
+    total_mb = 0.0
+    for job in jobs:
+        content = job["content"]
+        state = content.get("dispatchState", "?")
+        sid = content.get("sid", "?")
+        disk = content.get("diskUsage", 0)
+        total_mb += disk / 1024 / 1024
+        search = content.get("search", "")[:50]
+        print(f"{state:10} {disk/1024/1024:6.1f}MB  {sid[:25]:25}  {search}")
+
+    print(f"\nTotal: {total_mb:.1f}MB")
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(
+        prog="splank",
+        description="CLI tool for querying Splunk logs",
+    )
+    parser.add_argument(
+        "-V",
+        "--version",
+        action="version",
+        version=f"%(prog)s {__version__}",
+    )
+    parser.add_argument(
+        "-p",
+        "--profile",
+        help="Splunk profile to use (e.g., 'qa', 'prod')",
+    )
+
+    subparsers = parser.add_subparsers(dest="command", help="Commands")
+
+    # init command
+    init_parser = subparsers.add_parser("init", help="Initialize credentials")
+    init_parser.set_defaults(func=cmd_init)
+
+    # search command
+    search_parser = subparsers.add_parser("search", help="Execute SPL query")
+    search_parser.add_argument("query", help="SPL query to execute")
+    search_parser.add_argument(
+        "--earliest", "-e", default="-24h", help="Earliest time (default: -24h)"
+    )
+    search_parser.add_argument(
+        "--latest", "-l", default="now", help="Latest time (default: now)"
+    )
+    search_parser.add_argument(
+        "--max-results", "-m", type=int, default=100, help="Max results (default: 100)"
+    )
+    search_parser.add_argument(
+        "--format",
+        "-f",
+        choices=["json", "csv", "table"],
+        default="table",
+        help="Output format",
+    )
+    search_parser.add_argument(
+        "--output", "-o", help="Output file (default: stdout)"
+    )
+    search_parser.set_defaults(func=cmd_search)
+
+    # discover command
+    discover_parser = subparsers.add_parser(
+        "discover", help="Discover available indexes"
+    )
+    discover_parser.add_argument(
+        "patterns",
+        nargs="*",
+        help="Glob patterns to filter indexes (e.g. 'web*' 'app-*')",
+    )
+    discover_parser.add_argument(
+        "--all", "-a", action="store_true", help="Include internal indexes"
+    )
+    discover_parser.add_argument(
+        "--fields", "-f", action="store_true", help="Discover fields for each index"
+    )
+    discover_parser.add_argument(
+        "--output", "-o", help="Output file (default: stdout)"
+    )
+    discover_parser.set_defaults(func=cmd_discover)
+
+    # jobs command
+    jobs_parser = subparsers.add_parser("jobs", help="List search jobs")
+    jobs_parser.add_argument(
+        "--mine", action="store_true", help="Show only my jobs"
+    )
+    jobs_parser.set_defaults(func=cmd_jobs)
+
+    # clear command
+    clear_parser = subparsers.add_parser("clear", help="Clear my search jobs")
+    clear_parser.set_defaults(func=cmd_clear)
+
+    args = parser.parse_args()
+
+    if not args.command:
+        parser.print_help()
+        sys.exit(1)
+
+    try:
+        args.func(args)
+    except Exception as e:
+        print(f"Error: {e}", file=sys.stderr)
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

splank-0.1.0/splank/client.py

@@ -0,0 +1,193 @@
+"""Splunk REST API client."""
+
+import json
+import ssl
+import time
+import urllib.error
+import urllib.parse
+import urllib.request
+from typing import Iterator
+
+
+def get_ssl_context(verify: bool = True) -> ssl.SSLContext:
+    """Create SSL context."""
+    if verify:
+        return ssl.create_default_context()
+    ctx = ssl.create_default_context()
+    ctx.check_hostname = False
+    ctx.verify_mode = ssl.CERT_NONE
+    return ctx
+
+
+class SplunkClient:
+    """Splunk REST API client."""
+
+    def __init__(
+        self,
+        host: str,
+        port: int = 8089,
+        username: str | None = None,
+        password: str | None = None,
+        token: str | None = None,
+        verify_ssl: bool = True,
+    ):
+        self.base_url = f"https://{host}:{port}"
+        self.username = username
+        self.password = password
+        self.token = token
+        self.ssl_context = get_ssl_context(verify_ssl)
+        self.session_key: str | None = None
+
+    def _request(
+        self,
+        method: str,
+        endpoint: str,
+        data: dict | None = None,
+        params: dict | None = None,
+    ) -> dict:
+        """Make HTTP request to Splunk API."""
+        url = f"{self.base_url}{endpoint}"
+        if params:
+            url += "?" + urllib.parse.urlencode(params)
+
+        headers = {"Content-Type": "application/x-www-form-urlencoded"}
+
+        if self.token:
+            headers["Authorization"] = f"Bearer {self.token}"
+        elif self.session_key:
+            headers["Authorization"] = f"Splunk {self.session_key}"
+
+        body = urllib.parse.urlencode(data).encode() if data else None
+
+        req = urllib.request.Request(url, data=body, headers=headers, method=method)
+
+        try:
+            with urllib.request.urlopen(req, context=self.ssl_context) as resp:
+                return json.loads(resp.read().decode())
+        except urllib.error.HTTPError as e:
+            error_body = e.read().decode()
+            raise RuntimeError(f"HTTP {e.code}: {error_body}")
+
+    def login(self) -> None:
+        """Authenticate and get session key."""
+        if self.token:
+            return  # Token auth doesn't need login
+
+        if not self.username or not self.password:
+            raise ValueError("Username and password required for authentication")
+
+        data = {
+            "username": self.username,
+            "password": self.password,
+            "output_mode": "json",
+        }
+        result = self._request("POST", "/services/auth/login", data=data)
+        self.session_key = result["sessionKey"]
+
+    def search(
+        self,
+        query: str,
+        earliest: str = "-24h",
+        latest: str = "now",
+        max_results: int = 100,
+        stream: bool = False,
+    ) -> Iterator[dict]:
+        """Execute a search query and return results."""
+        # Build search query with head limit to reduce server-side processing
+        if query.strip().startswith("|"):
+            spl = query
+        else:
+            spl = f"search {query}"
+
+        # Add head limit if not already present to reduce disk usage
+        if "| head" not in spl.lower():
+            spl = f"{spl} | head {max_results}"
+
+        data = {
+            "search": spl,
+            "earliest_time": earliest,
+            "latest_time": latest,
+            "output_mode": "json",
+        }
+        result = self._request("POST", "/services/search/jobs", data=data)
+        sid = result["sid"]
+
+        if stream:
+            yield from self._stream_results(sid, max_results)
+        else:
+            # Wait for job to complete
+            while True:
+                status = self._request(
+                    "GET",
+                    f"/services/search/jobs/{sid}",
+                    params={"output_mode": "json"},
+                )
+                state = status["entry"][0]["content"]["dispatchState"]
+                if state == "DONE":
+                    break
+                if state == "FAILED":
+                    raise RuntimeError("Search job failed")
+                time.sleep(0.5)
+
+            # Get results
+            results = self._request(
+                "GET",
+                f"/services/search/jobs/{sid}/results",
+                params={"output_mode": "json", "count": max_results},
+            )
+            yield from results.get("results", [])
+
+    def _stream_results(self, sid: str, max_results: int) -> Iterator[dict]:
+        """Stream preview results as they become available."""
+        seen_count = 0
+        while True:
+            status = self._request(
+                "GET",
+                f"/services/search/jobs/{sid}",
+                params={"output_mode": "json"},
+            )
+            state = status["entry"][0]["content"]["dispatchState"]
+
+            # Get preview results
+            preview = self._request(
+                "GET",
+                f"/services/search/jobs/{sid}/results_preview",
+                params={
+                    "output_mode": "json",
+                    "count": max_results,
+                    "offset": seen_count,
+                },
+            )
+            new_results = preview.get("results", [])
+            for result in new_results:
+                yield result
+                seen_count += 1
+                if seen_count >= max_results:
+                    return
+
+            if state == "DONE":
+                break
+            if state == "FAILED":
+                raise RuntimeError("Search job failed")
+            time.sleep(0.3)
+
+    def list_jobs(self, count: int = 50) -> list[dict]:
+        """List search jobs."""
+        result = self._request(
+            "GET",
+            "/services/search/jobs",
+            params={"output_mode": "json", "count": count},
+        )
+        return result.get("entry", [])
+
+    def delete_job(self, sid: str) -> None:
+        """Delete a search job."""
+        url = f"{self.base_url}/services/search/jobs/{sid}"
+        headers = {}
+        if self.token:
+            headers["Authorization"] = f"Bearer {self.token}"
+        elif self.session_key:
+            headers["Authorization"] = f"Splunk {self.session_key}"
+
+        req = urllib.request.Request(url, headers=headers, method="DELETE")
+        urllib.request.urlopen(req, context=self.ssl_context)

splank-0.1.0/splank/config.py

@@ -0,0 +1,129 @@
+"""Configuration handling for Splank."""
+
+import os
+import shutil
+import subprocess
+import sys
+import tomllib
+from pathlib import Path
+
+from platformdirs import user_config_dir
+
+from splank.client import SplunkClient
+
+CONFIG_DIR = Path(user_config_dir("splank"))
+CREDENTIALS_FILE = CONFIG_DIR / "credentials.toml"
+
+
+def load_credentials() -> dict:
+    """Load credentials from $XDG_CONFIG_HOME/splank/credentials.toml."""
+    if not CREDENTIALS_FILE.exists():
+        return {}
+
+    with open(CREDENTIALS_FILE, "rb") as f:
+        return tomllib.load(f)
+
+
+def get_profile(profile: str | None = None) -> dict:
+    """Get credentials for a specific profile.
+
+    Args:
+        profile: Profile name (e.g., 'qa', 'prod'). If None, uses 'default' profile.
+
+    Returns:
+        Profile configuration dict with host, port, username, password, token, verify_ssl.
+    """
+    creds = load_credentials()
+
+    if not creds:
+        print(
+            f"Credentials not configured in {CREDENTIALS_FILE}",
+            file=sys.stderr,
+        )
+        print("\nRun 'splank init' to set up credentials.", file=sys.stderr)
+        sys.exit(1)
+
+    # Determine which profile to use
+    profile_name = profile or creds.get("default_profile", "default")
+
+    # Get profile from profiles section
+    profiles = creds.get("profiles", {})
+    if profile_name in profiles:
+        return profiles[profile_name]
+
+    # Fall back to top-level config (for simple single-profile setup)
+    if "host" in creds:
+        return creds
+
+    print(f"Profile '{profile_name}' not found in {CREDENTIALS_FILE}", file=sys.stderr)
+    print(f"Available profiles: {', '.join(profiles.keys()) or '(none)'}", file=sys.stderr)
+    sys.exit(1)
+
+
+def get_client(profile: str | None = None) -> SplunkClient:
+    """Load credentials and create authenticated client.
+
+    Args:
+        profile: Profile name (e.g., 'qa', 'prod'). If None, uses default profile.
+    """
+    creds = get_profile(profile)
+
+    host = creds.get("host")
+    if not host:
+        print(f"'host' is required in profile", file=sys.stderr)
+        sys.exit(1)
+
+    client = SplunkClient(
+        host=host,
+        port=creds.get("port", 8089),
+        username=creds.get("username"),
+        password=creds.get("password"),
+        token=creds.get("token"),
+        verify_ssl=creds.get("verify_ssl", True),
+    )
+    client.login()
+    return client
+
+
+def init_config() -> None:
+    """Initialize credentials file with example values and open in editor."""
+    CONFIG_DIR.mkdir(parents=True, exist_ok=True)
+
+    example = """\
+# Splank configuration
+# Credentials are stored in TOML format
+
+# Default profile to use when --profile is not specified
+default_profile = "prod"
+
+[profiles.prod]
+host = "splunk-prod.example.com"
+port = 8089
+# Use either username/password or token authentication
+username = ""
+password = ""
+token = ""
+verify_ssl = true
+
+[profiles.qa]
+host = "splunk-qa.example.com"
+port = 8089
+username = ""
+password = ""
+token = ""
+verify_ssl = true
+"""
+    CREDENTIALS_FILE.write_text(example)
+    CREDENTIALS_FILE.chmod(0o600)
+    print(f"Credentials file created: {CREDENTIALS_FILE}")
+
+    editor = (
+        os.environ.get("EDITOR")
+        or shutil.which("nano")
+        or shutil.which("vim")
+        or shutil.which("vi")
+    )
+    if editor:
+        subprocess.run([editor, str(CREDENTIALS_FILE)])
+    else:
+        print("No editor found. Please edit the credentials file manually.")

splank-0.1.0/splank.egg-info/PKG-INFO

@@ -0,0 +1,89 @@
+Metadata-Version: 2.4
+Name: splank
+Version: 0.1.0
+Summary: CLI tool for querying Splunk logs. Search indexes, discover fields, and manage search jobs.
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/vivainio/splank
+Project-URL: Repository, https://github.com/vivainio/splank
+Project-URL: Issues, https://github.com/vivainio/splank/issues
+Keywords: splunk,cli,logs,search,observability,siem
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: System :: Logging
+Classifier: Topic :: Utilities
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: platformdirs>=4.0.0
+
+# Splank
+
+CLI tool for querying Splunk logs.
+
+## Setup
+
+```bash
+splank init
+```
+
+This creates `~/.config/splank/credentials.toml` with your Splunk credentials.
+
+### Configuration
+
+The credentials file supports multiple profiles:
+
+```toml
+default_profile = "prod"
+
+[profiles.prod]
+host = "splunk.example.com"
+port = 8089
+token = "your-token-here"
+verify_ssl = true
+
+[profiles.qa]
+host = "splunk-qa.example.com"
+port = 8089
+username = "admin"
+password = "changeme"
+verify_ssl = true
+```
+
+## Usage
+
+```bash
+# Search (uses default profile)
+splank search 'index=main Level=ERROR' -m 10
+
+# Search using specific profile
+splank -p qa search 'index=main Level=ERROR'
+
+# Discover indexes
+splank discover 'web*'
+
+# Discover with field info
+splank discover 'app-*' --fields -o DISCOVERY.md
+
+# Manage jobs
+splank jobs
+splank clear
+```
+
+## Commands
+
+- `init` - Create credentials file
+- `search` - Execute SPL query
+- `discover` - Discover available indexes
+- `jobs` - List search jobs
+- `clear` - Clear my search jobs
+
+## Options
+
+- `-p, --profile` - Splunk profile to use (e.g., 'qa', 'prod')
+- `-V, --version` - Show version

splank-0.1.0/splank.egg-info/SOURCES.txt

@@ -0,0 +1,13 @@
+README.md
+pyproject.toml
+splank/__init__.py
+splank/__main__.py
+splank/cli.py
+splank/client.py
+splank/config.py
+splank.egg-info/PKG-INFO
+splank.egg-info/SOURCES.txt
+splank.egg-info/dependency_links.txt
+splank.egg-info/entry_points.txt
+splank.egg-info/requires.txt
+splank.egg-info/top_level.txt

splank-0.1.0/splank.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

splank-0.1.0/splank.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+splank = splank.cli:main

splank-0.1.0/splank.egg-info/requires.txt

@@ -0,0 +1 @@
+platformdirs>=4.0.0

splank-0.1.0/splank.egg-info/top_level.txt

@@ -0,0 +1 @@
+splank