https://community.splunk.com/t5/Splunk-Dev/How-to-output-raw-results-from-the-Splunk-Python-SDK-when-using/m-p/255706#M3191 <P>So I was having the same problem as here:</P> <P><A href="https://answers.splunk.com/answers/99633/only-100-results-return-with-python-api-query.html">https://answers.splunk.com/answers/99633/only-100-results-return-with-python-api-query.html</A></P> <P>and I used this: <A href="http://dev.splunk.com/view/SP-CAAAEE5#paginating">http://dev.splunk.com/view/SP-CAAAEE5#paginating</A><BR /><BR /> and this: <A href="http://dev.splunk.com/view/python-sdk/SP-CAAAER5">http://dev.splunk.com/view/python-sdk/SP-CAAAER5</A> </P> <P>To create a script that now returns ALL my results, BUT I need to write the raw results to a file.</P> <P>I WAS using the following syntax:</P> <PRE><CODE>&lt;snip&gt; kwargs_normalsearch = {"exec_mode":"normal"} job = service.jobs.create(searchquery, **kwargs_normalsearch) &lt;check for job to be done&gt; content = str(job.results(output_mode="raw")) file.write(content) &lt;snip&gt; </CODE></PRE> <P>But I have not figured out how to combine the output_mode="raw" into the pagination script. I have not yet found anything in the above documentation or via Google showing the correct syntax, so I'm asking here.</P> <P>I basically copied what was on one of the pages listed above:</P> <PRE><CODE>kwargs_blockingsearch = {"exec_mode":"blocking"} print "Search results:\n" resultCount = job["resultCount"] # Number of results this job returned offset = 0; # Start at result 0 count = 10; # Get sets of 10 results at a time while (offset &lt; int(resultCount)): kwargs_paginate = {"count": count, "offset": offset} # Get the search results and display them blocksearch_results = job.results(**kwargs_paginate) for result in results.ResultsReader(blocksearch_results): print result # Increase the offset to get the next set of results offset += count </CODE></PRE> <P>And I've tried:</P> <PRE><CODE>blocksearch_results = job.results(**kwargs_paginate, output_mode="raw") </CODE></PRE> <P>and</P> <PRE><CODE>blocksearch_results = str(job.results(**kwargs_paginate, output_mode="raw")) </CODE></PRE> <P>and </P> <PRE><CODE>kwargs_paginate = {'output_mode": "raw", "count": count, "offset": offset} </CODE></PRE> <P>all fail due to invalid syntax.</P> <P>Does anyone have any suggestions?</P> Wed, 31 Aug 2016 17:03:52 GMT reswob4 2016-08-31T17:03:52Z https://community.splunk.com/t5/Splunk-Dev/How-to-output-raw-results-from-the-Splunk-Python-SDK-when-using/m-p/255706#M3191 <P>So I was having the same problem as here:</P> <P><A href="https://answers.splunk.com/answers/99633/only-100-results-return-with-python-api-query.html">https://answers.splunk.com/answers/99633/only-100-results-return-with-python-api-query.html</A></P> <P>and I used this: <A href="http://dev.splunk.com/view/SP-CAAAEE5#paginating">http://dev.splunk.com/view/SP-CAAAEE5#paginating</A><BR /><BR /> and this: <A href="http://dev.splunk.com/view/python-sdk/SP-CAAAER5">http://dev.splunk.com/view/python-sdk/SP-CAAAER5</A> </P> <P>To create a script that now returns ALL my results, BUT I need to write the raw results to a file.</P> <P>I WAS using the following syntax:</P> <PRE><CODE>&lt;snip&gt; kwargs_normalsearch = {"exec_mode":"normal"} job = service.jobs.create(searchquery, **kwargs_normalsearch) &lt;check for job to be done&gt; content = str(job.results(output_mode="raw")) file.write(content) &lt;snip&gt; </CODE></PRE> <P>But I have not figured out how to combine the output_mode="raw" into the pagination script. I have not yet found anything in the above documentation or via Google showing the correct syntax, so I'm asking here.</P> <P>I basically copied what was on one of the pages listed above:</P> <PRE><CODE>kwargs_blockingsearch = {"exec_mode":"blocking"} print "Search results:\n" resultCount = job["resultCount"] # Number of results this job returned offset = 0; # Start at result 0 count = 10; # Get sets of 10 results at a time while (offset &lt; int(resultCount)): kwargs_paginate = {"count": count, "offset": offset} # Get the search results and display them blocksearch_results = job.results(**kwargs_paginate) for result in results.ResultsReader(blocksearch_results): print result # Increase the offset to get the next set of results offset += count </CODE></PRE> <P>And I've tried:</P> <PRE><CODE>blocksearch_results = job.results(**kwargs_paginate, output_mode="raw") </CODE></PRE> <P>and</P> <PRE><CODE>blocksearch_results = str(job.results(**kwargs_paginate, output_mode="raw")) </CODE></PRE> <P>and </P> <PRE><CODE>kwargs_paginate = {'output_mode": "raw", "count": count, "offset": offset} </CODE></PRE> <P>all fail due to invalid syntax.</P> <P>Does anyone have any suggestions?</P> Wed, 31 Aug 2016 17:03:52 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-output-raw-results-from-the-Splunk-Python-SDK-when-using/m-p/255706#M3191 reswob4 2016-08-31T17:03:52Z https://community.splunk.com/t5/Splunk-Dev/How-to-output-raw-results-from-the-Splunk-Python-SDK-when-using/m-p/255707#M3192 <P>I figured it out.</P> <P>Once I realized the results are returned in ordered dictionaries, here's what i did:</P> <PRE><CODE> searchquery = "search &lt;your search query&gt; | table _raw" ..... ..... for result in results.ResultsReader(blocksearch_results): event=result.popitem() print event[1] </CODE></PRE> <P>This returns only the _raw results for each. I'm writing them to a file </P> <PRE><CODE>f.write(event[1] + "\n") </CODE></PRE> <P>do with them what you will.</P> Tue, 06 Sep 2016 14:12:37 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-output-raw-results-from-the-Splunk-Python-SDK-when-using/m-p/255707#M3192 reswob4 2016-09-06T14:12:37Z