Getting Data In

2.2.8 SDK differences from 1.0 - field format

rgonzale6
Path Finder

We have a C# application, written many years ago, that uses SDK 1.0 to query Splunk and process the fields of interest in the results. Basically, it was done executing:

searchMgr = new SearchManager(_SplunkConnection);
searchJob = searchMgr.SyncSearch(searchQuery, dispatchParams)
rawResults = searchJob.GetResultsRaw(resultParams).ToString()

where the 'resultParams' specified a 'FieldList' of the specific result fields of interest. All the following code had to do was to loop through the XML representation of the individual field names and their corresponding results. I was hoping to find equivalent functionality in SDK 2.2.8, but the best I could find is: the following code executed after creating a 'Service' object and logging into Splunk:

SearchResultStream stream = await service.SearchOneShotAsync(searchQuery)
foreach (SearchResult anEvent in stream)
rawEventStr = anEvent.ToString()

This code will return the query results we are expecting, but in the format of a single very long string 'SearchResult(...)' where contents between the parentheses are basically of the form ': '. This string can be many hundreds of characters long with dozens of field names, most of which I don't care about. (Note that the old code only returned the fields I care about!)

I can probably write C# code that will parse this, but there has to be a better way to do it using SDK 2.2.8 functionality but after a lot of searching I can find nothing. Does anyone have a more elegant solution to this problem? Any help would be greatly appreciated.

1 Solution

ewan000
Path Finder

Hi,

You can access the fields with the GetValue(fieldname) method

        SearchResultStream stream = await service.SearchOneShotAsync("search index=main | head 10");

        foreach (SearchResult anEvent in stream)
        {
            foreach( var field in anEvent.FieldNames)
            {
                Console.WriteLine($"{field} = {anEvent.GetValue(field)}");
            }
        }

View solution in original post

ewan000
Path Finder

Hi,

You can access the fields with the GetValue(fieldname) method

        SearchResultStream stream = await service.SearchOneShotAsync("search index=main | head 10");

        foreach (SearchResult anEvent in stream)
        {
            foreach( var field in anEvent.FieldNames)
            {
                Console.WriteLine($"{field} = {anEvent.GetValue(field)}");
            }
        }

rgonzale6
Path Finder

Perfect! Many thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...