Splunk Dev

How to search custom fields from Splunk SDK?

scottmacdonald
New Member

I can't find documentation anywhere on how to format search strings for the Splunk SDK. Every single example provided just uses:

search index=_internal | head 10

I'm just trying to search on a custom field I use in my application, so I thought this would work:

search index=myindex mycustomfield=xyz

but that just gives me an error: Bad Request: FATAL: Unknown search command mycustomfield

How do I format this as I want? And perhaps more importantly where is this documented how the SDK expects requests to be formatted?

0 Karma

micahkemp
Champion

See if this answer from yesterday helps.

0 Karma

scottmacdonald
New Member

@micahkemp that actually did help but not for the reason you would think...turns out it was a dumb mistake on my part, I had two variables declared named search and searchStr and i mixed the two up and was passing in the wrong one without the 'search' part at the beginning. Stupid mistake but thanks for the tip

0 Karma

damien_chillet
Builder

Hi scott,

Can you provide us with a sample of the code you're using to get this error?

0 Karma
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...