topic Splunk Python SDK: Mismatch Results in Splunk Dev

Splunk Python SDK: Mismatch Results

kavithaisplunk — Sun, 07 Jun 2020 18:38:19 GMT

I am using Splunk Python SDK to run series of splunk queries. Recently encountered an issue, results from SDK and manually running query on the Web yields different results. All I am trying to do is run a simple query to get the count for a particular timeframe(index=xxx | stats count). I see SDK query result count is short of 1 million than the one executed manually. I did verify the timeframe is same in both the case. Could someone shed some light?

Re: Splunk Python SDK: Mismatch Results

jkat54 — Thu, 21 Feb 2019 13:53:57 GMT

Please post both the manual search and the code used with the sdk to create the search via API.

Please be sure the user executing the search is the same.

Please verify the job properties match between both jobs. (Open splunk UI -> Activity -> Jobs -> find your job -> click job drop down -> inspect job)

Re: Splunk Python SDK: Mismatch Results

kavithaisplunk — Tue, 29 Sep 2020 23:19:30 GMT

I am exactly doing the same as below.. Running the same query manually I get 5 Million as Total count but running through the below code returns only 4 Million as Total count.

import splunklib.results as results

kwargs_oneshot = {"earliest_time": "2014-06-19T12:00:00.000-07:00",
"latest_time": "2014-06-20T12:00:00.000-07:00"}
searchquery_oneshot = "index=SearcherIndex NOT "health" | stats count"

oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)

Get the results and display them using the ResultsReader

reader = results.ResultsReader(oneshotsearch_results)
for item in reader:
print(item)

Re: Splunk Python SDK: Mismatch Results

raduurjan — Wed, 11 Dec 2019 13:47:43 GMT

Try adding the following arguments in the kwargs dictionary:

"count" : 0

This will not limit your results if a limit exists somewhere.