topic Re: Real time search of _audit using Python SDK in Splunk Dev

Real time search of _audit using Python SDK

jlentner — Fri, 28 Jun 2013 19:37:16 GMT

Using the follow.py example script, I get no events when searching using 'index=_audit action=alert_fired'. When I run this search I can go into 'Jobs' and watch it from the GUI and see records returned, but they are not displayed from the python script.

Other searches work as expected (like 'index=_audit action=search'), but the alert_fired action returns no events.

The only difference I can find is searches that return events to the Python script show a '< results preview='0'/>' while the alert_fired returns '< results preview='1'/>'.

Re: Real time search of _audit using Python SDK

Neeraj_Luthra — Wed, 03 Jul 2013 17:23:59 GMT

< results preview='1'/> means there are no events that match that search criteria. It is surprising that you notice events when you look at it from Jobs from the UI.

follow.py example uses 'rt' for both earliest and latest time boundaries. Can you try and run the same search (index=_audit action=search) from the UI with time dropdown set to All time (real-time) and see whether that returns any events?

Re: Real time search of _audit using Python SDK

jlentner — Mon, 28 Sep 2020 14:15:01 GMT

From the UI, 'index=_audit action=alert_fired' works as expected. I'm not having any problems if I use action=search (from either my Python script or the UI). I applied 5.0.3 this morning and my symptoms have slightly changed. Now, when I run my script that starts the real time search I still get no results (as before), but if I go into 'Jobs' and click on the link to take me to that in progress search it shows events incrementing but I don't see the actual alert text displayed. With 5.0.2 I would see the text.