I'm using python SDK to query splunk.
below are how data looks like:
I'm running query from as following on web, _raw was displayed correctly.
index=vgw "Session 25907" source="20130315.log" "end reason"|table _raw
result:
2013-03-15 08:42:41 : Session 25907 VGWSession:: end reason: ep disconnect
however same query running from python SDK (I'm following example for "oneshot search" and "normal search" at http://dev.splunk.com/view/SP-CAAAEE5#oneshotjob
I was running same query (without table), it returns:
OrderedDict([('_bkt', 'vgw~490~1EF8E9B1-5238-48F9-8B5A-2B768B4DB0E8'), ('_cd', '490:29401397'), ('_indextime', '1363362162'), ('_raw', '2013-03-15 08:42:41 : '), ('_serial', '0'), ('_si', ['splunk4', 'vgw']), ('_sourcetype', 'vgw'), ('_time', '2013-03-15T08:42:41.000-07:00'), ('host', 'vgw5'), ('index', 'vgw'), ('linecount', '1'), ('source', '20130315.log'), ('sourcetype', 'vgw'), ('splunk_server', 'splunk4')])
the _raw filed did't have everything, it's only part of it.
anyone know why? or experience same? how to fix it?
... View more