https://community.splunk.com/t5/Splunk-Dev/How-to-search-with-join-returns-result-in-GUI-but-not-with/m-p/604857#M10703 <P>Do you use the same user in GUI as with REST?</P><P>BTW, join over inputlookup doesn't seem to be the best idea. Why not straight use lookup?</P> Thu, 07 Jul 2022 20:38:12 GMT PickleRick 2022-07-07T20:38:12Z https://community.splunk.com/t5/Splunk-Dev/How-to-search-with-join-returns-result-in-GUI-but-not-with/m-p/604848#M10702 <P>I have a search that joins an index to a .csv lookup.&nbsp; When I run the search for last 24 hours in the GUI, I get ~81k matches (expected).&nbsp; When I run the exact same query via the sdk, I get 0 matches.&nbsp; Here is my code:</P> <P>&nbsp;</P> <P>service = client.connect(<BR />host=HOST,<BR />port=PORT,<BR />username=USERNAME,<BR />password=PASSWORD)</P> <P>import sys<BR />from time import sleep<BR />import splunklib.results as results</P> <P>query= "search index=my_index sourcetype=my_sourcetype | fields field1 field2 field3 field4 field5 field6 field7 | join my_primary_key[| inputlookup my_lookup_file.csv ]"<BR />kwargs = {"exec_mode": "normal",<BR />"earliest_time": "-1440m",<BR />"latest_time": "now",<BR />"search_mode": "normal",<BR />"output_mode": "json"<BR />}<BR />job = service.jobs.create(query, **kwargs)</P> <P># A normal search returns the job's SID right away, so we need to poll for completion<BR />while True:<BR />while not job.is_ready():<BR />pass<BR />stats = {"isDone": job["isDone"],<BR />"doneProgress": float(job["doneProgress"])*100,<BR />"scanCount": int(job["scanCount"]),<BR />"eventCount": int(job["eventCount"]),<BR />"resultCount": int(job["resultCount"])}</P> <P>status = ("\r%(doneProgress)03.1f%% %(scanCount)d scanned "<BR />"%(eventCount)d matched %(resultCount)d results") % stats</P> <P>sys.stdout.write(status)<BR />sys.stdout.flush()<BR />if stats["isDone"] == "1":<BR />sys.stdout.write("\n\nDone!\n\n")<BR />break<BR />sleep(2)<BR /><BR /># Get the results and display them<BR />for result in results.JSONResultsReader(job.results(output_mode='json')):<BR />print(result)</P> <P>job.cancel()<BR />sys.stdout.write('\n')</P> <P>&nbsp;</P> <P>Can somebody please explain why the query would work and return matches in the GUI but not via the SDK?</P> Thu, 07 Jul 2022 20:02:15 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-search-with-join-returns-result-in-GUI-but-not-with/m-p/604848#M10702 adomenico 2022-07-07T20:02:15Z https://community.splunk.com/t5/Splunk-Dev/How-to-search-with-join-returns-result-in-GUI-but-not-with/m-p/604857#M10703 <P>Do you use the same user in GUI as with REST?</P><P>BTW, join over inputlookup doesn't seem to be the best idea. Why not straight use lookup?</P> Thu, 07 Jul 2022 20:38:12 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-search-with-join-returns-result-in-GUI-but-not-with/m-p/604857#M10703 PickleRick 2022-07-07T20:38:12Z https://community.splunk.com/t5/Splunk-Dev/How-to-search-with-join-returns-result-in-GUI-but-not-with/m-p/604942#M10704 <P>Yes, it is the same user.&nbsp; I need to join, because the lookup csv file contains part of the data I need in the final report and the index has the other part.&nbsp;&nbsp;</P> Fri, 08 Jul 2022 13:23:43 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-search-with-join-returns-result-in-GUI-but-not-with/m-p/604942#M10704 adomenico 2022-07-08T13:23:43Z