Real time search of _audit using Python SDK

jlentner · ‎06-28-2013

Using the follow.py example script, I get no events when searching using 'index=_audit action=alert_fired'. When I run this search I can go into 'Jobs' and watch it from the GUI and see records returned, but they are not displayed from the python script.

Other searches work as expected (like 'index=_audit action=search'), but the alert_fired action returns no events.

The only difference I can find is searches that return events to the Python script show a '< results preview='0'/>' while the alert_fired returns '< results preview='1'/>'.

Neeraj_Luthra · ‎07-03-2013

< results preview='1'/> means there are no events that match that search criteria. It is surprising that you notice events when you look at it from Jobs from the UI.

follow.py example uses 'rt' for both earliest and latest time boundaries. Can you try and run the same search (index=_audit action=search) from the UI with time dropdown set to All time (real-time) and see whether that returns any events?

jlentner · ‎07-03-2013

From the UI, 'index=_audit action=alert_fired' works as expected. I'm not having any problems if I use action=search (from either my Python script or the UI). I applied 5.0.3 this morning and my symptoms have slightly changed. Now, when I run my script that starts the real time search I still get no results (as before), but if I go into 'Jobs' and click on the link to take me to that in progress search it shows events incrementing but I don't see the actual alert text displayed. With 5.0.2 I would see the text.

Real time search of _audit using Python SDK

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!