Splunk Search

New field/attribute added to raw results by python

MatthewTowey
Path Finder

Hi

I am trying to add a new field to my search results via a custom search command written in python

Take the following snippet from the script:

results,results1,results2 = splunk.Intersplunk.getOrganizedResults()

for line in results:

line["Test"] = 'Some Test Text'

When I run a search which uses this custom search command I don't see the Test field appearing in the events list, events table or results table. Just wondering if my expectation is incorrect in terms of Splunk being able to do this

Thanks
Matt

0 Karma
1 Solution

ziegfried
Influencer

You have to output the results after the loop (ie. once you've modified them).

splunk.Intersplunk.outputResults(results)

View solution in original post

ziegfried
Influencer

You have to output the results after the loop (ie. once you've modified them).

splunk.Intersplunk.outputResults(results)

MatthewTowey
Path Finder

Hi
I am using the following search: source="file-name.txt" | | head 2. The field does not appear in the field picker

Thanks
Matt

0 Karma

ziegfried
Influencer

I see. The field should be available in the results then. What's the exact search, you're using? Is the field selected (ie. does it appear in the field picker - on the left)?

0 Karma

MatthewTowey
Path Finder

Hi ziegfried
Thanks for the reply
Sorry I hadn't included more of the code to make it more clear.
I have the " splunk.Intersplunk.outputResults(results)"
line of code after the loop finishes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...