https://community.splunk.com/t5/Splunk-Dev/How-do-I-compare-different-values-for-fields-returned-using-the/m-p/153102#M2093 <P>This is alot easier using the <A href="http://dev.splunk.com/python">Splunk Python SDK</A></P> <P>Example code doing mock String compare against the _raw field from the export search results :</P> <PRE><CODE>import splunklib.results as results import splunklib.client as client def compare(val_a, val_b): return val_a == val_b if __name__ == '__main__': service = client.connect(host='localhost',port=8089,username='admin',password='abc') kwargs_export = {"earliest_time": "-1h", "latest_time": "now", "search_mode": "normal"} searchquery_export = "search index=_internal" exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export) reader = results.ResultsReader(exportsearch_results) foo_field = 'foo' for result in reader: if isinstance(result, dict): raw_field = result['_raw'] print compare(raw_field,foo_field) </CODE></PRE> Wed, 10 Jun 2015 17:49:57 GMT Damien_Dallimor 2015-06-10T17:49:57Z https://community.splunk.com/t5/Splunk-Dev/How-do-I-compare-different-values-for-fields-returned-using-the/m-p/153101#M2092 <P>I have just started playing around with the python REST API for a project i have in mind. Please forgive me as this is my first real attempt at scripting/programming anything really. I'm using Python to query Splunk.</P> <P>Anyway based on the examples i found on the website, this is a part of the code: </P> <PRE><CODE>request = urllib2.Request(base_url + '/servicesNS/%s/search/search/jobs/export' % (username), data = urllib.urlencode({'search': search_query,'output_mode': 'csv'}), headers = { 'Authorization': ('Splunk %s' %session_key)}) search_results = urllib2.urlopen(request) returned_data = search_results.read() </CODE></PRE> <P>Here is an example output (i have on purpose only selected two fields and 3 events for each)</P> <PRE><CODE>"_time",Service "2015-06-10 18:09:08.000 BST","dnsmasq-dhcp[472]" "2015-06-10 18:09:08.000 BST","dnsmasq-dhcp[472]" "2015-06-10 17:48:04.000 BST","dnsmasq-dhcp[472]" </CODE></PRE> <P>When printing the value of returned_data, i can see all the information i expect. However, the variable has a type of string so i need to convert it to something, but not sure what. The end aim is to be able to compare the different values in the fields. Would i need to convert the above output to a dictionary or a list ? Also, should i maybe be trying to export the results from splunk in a different format than csv? </P> Wed, 10 Jun 2015 17:26:28 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-I-compare-different-values-for-fields-returned-using-the/m-p/153101#M2092 ng87 2015-06-10T17:26:28Z https://community.splunk.com/t5/Splunk-Dev/How-do-I-compare-different-values-for-fields-returned-using-the/m-p/153102#M2093 <P>This is alot easier using the <A href="http://dev.splunk.com/python">Splunk Python SDK</A></P> <P>Example code doing mock String compare against the _raw field from the export search results :</P> <PRE><CODE>import splunklib.results as results import splunklib.client as client def compare(val_a, val_b): return val_a == val_b if __name__ == '__main__': service = client.connect(host='localhost',port=8089,username='admin',password='abc') kwargs_export = {"earliest_time": "-1h", "latest_time": "now", "search_mode": "normal"} searchquery_export = "search index=_internal" exportsearch_results = service.jobs.export(searchquery_export, **kwargs_export) reader = results.ResultsReader(exportsearch_results) foo_field = 'foo' for result in reader: if isinstance(result, dict): raw_field = result['_raw'] print compare(raw_field,foo_field) </CODE></PRE> Wed, 10 Jun 2015 17:49:57 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-I-compare-different-values-for-fields-returned-using-the/m-p/153102#M2093 Damien_Dallimor 2015-06-10T17:49:57Z