Hello,
I am interacting with splunk through the API (more specifically I use the search.py from the SDK).
I have a set of rules that I would like to run. Those rules have different field names than the ones I use on my Splunk.
For example one of the rules I have, searches if the dst_port="4242", but my parsing on my Splunk is made differently. I have named that specific field destination_port and not dst_port. The search is therefore failing and finds 0 results. But when running multiple rules it is impossible to understand if the search returns 0 results because the field does exist or because it simply did not found anything.
I want to run multiple searches (around 200+), and force Splunk to indicate me if (for one specific search) it could not find any results BECAUSE the field(s) I am searching does not exist.
This is an example of how i perform one simple search:
search.py --verbose=1 --config=mySplunkrc.conf "search index=main host=debian"
Results:
<results preview='0'/>
This happens because my field is named Host and not host. Although not possible to understand if I found 0 because it could not find the field named "host".
Do you have a solution ?
Thank you for your time.
SRJ
... View more