I'm submitting a search through splunklib (PythonSDK). On the output side, I need some fields which are all either aliased or calculated ones. So I figured I'd supply the rf
search parameter along with the rest of the needed stuff (like "search", "exec_mode", "earliest_time", "latest_time" etc.). I made sure I connected via client.connect
with the app
keyword set to the application where those field extractions and aliases are defined. In addition, I tried to specify namespace
search parameter, again supplying the name of the application.
No luck - the results (extracted via ResultsReader
) never contained any of those fields I specified in rf
. I tried both comma-separated and whitespace-separated, quoted and unquoted list (like field1, field2, ...
, "field1" "field2" ...
etc.) to no avail.
Anything else that I'm missing?
Found an answer minutes after I posted the question.
rf
is supposed to be a list. So the right way is 'rf': ['field1', 'field2', ... ]
(in a kwargs dictionary) or rf=['field1', 'field2', ...]
in the method call itself.
Found an answer minutes after I posted the question.
rf
is supposed to be a list. So the right way is 'rf': ['field1', 'field2', ... ]
(in a kwargs dictionary) or rf=['field1', 'field2', ...]
in the method call itself.
Defaults fields like "source" ,"host" are also showing up in the response ; how can only the required fields be shown?
Hi can you share your code here? I'm running into the same issue but even when i add 'rf': ['field1', 'field2']
etc i do not see the results.
Make sure you extract those fields first in the search string, with | fields ...
Another point to check: if the fields are not auto-extracted, and the extractions and transforms are in the apps props.conf
/transforms.conf
, make sure you run that search in that app's context.
For example (Python code):
kwargs_oneshot = {'earliest_time': earliest, 'latest_time': latest,'namespace': APP_NAME,'rf':['field1','field2']}
oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)
See that namespace
keyword argument? It's important to have if you expect the props+transforms of your app to work.