Splunk Search

Searches using the Python SDK and REST API always returning ""

ntomczek
New Member

I am new to Splunk's SDK and REST API. I'm trying to match a simple query I'm running via the UI (The App is "Search", the query is simply "error", and the duration is "Last 24 hours"). When I run the query I typically get between 300 and 400 results. I'm running the below query using the Python SDK

searchquery_normal = "search error"
kwargs_normalsearch = {"exec_mode": "normal",
                       "earliest_time": "-24h",
                       "latest_time": "now",
                       "namespace": "search"}

job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)

Pulled the code straight from the Splunk examples here (http://dev.splunk.com/view/python-sdk/SP-CAAAEE5 under the "To create a normal search, poll for completion, and display results" section) I just changed the arguments. The query completes and the log information does not show any errors, but when I look at the results that is returned is:

<?xml version="1.0"?>
<results preview="0"/>

The sample code I'm using does have a process to wait for the job to complete. I've also created other versions of the query that point directly to the Splunk REST API but those return the same results as above. I have no clue what I need to look into next to try and solve this so any ideas are greatly appreciated!

0 Karma
1 Solution

micahkemp
Champion

Have you tried adding an explicit index= to your search? Are you authenticated via the API with the same credentials you use with the web UI?

View solution in original post

micahkemp
Champion

Have you tried adding an explicit index= to your search? Are you authenticated via the API with the same credentials you use with the web UI?

ntomczek
New Member

I was authenticated to the API and UI with the same creds but I just added an explicit index to the search and I get results back! Thanks for the help!

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@ntomczek - I just converted micahkemp's comment to an answer. Please "Accept" the answer to close out your question. Thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...