https://community.splunk.com/t5/Splunk-Dev/How-do-I-translate-a-GUI-search-query-into-a-python-API-query/m-p/432979#M7771 <P>newbie question...<BR /> I'd like to know the appropriate Python API syntax for the following GUI query:</P> <BLOCKQUOTE> <P>source="/var/log/my-test.log" index="testing" sourcetype="_json"</P> </BLOCKQUOTE> <P>I get a good set of results running it in the GUI but I'm always getting 0 results from the API. I'm working off the API docs with the following base code:</P> <BLOCKQUOTE> <P>kwargs_blockingsearch = {"exec_mode": "blocking"}<BR /> searchquery_blocking = "search * | head 10"<BR /> job = jobs.create(searchquery_blocking, **kwargs_blockingsearch)<BR /> so...<BR /> what's the correct syntax for replacing "search *|head 10" with my query?</P> </BLOCKQUOTE> Wed, 30 Sep 2020 01:38:36 GMT lfast12 2020-09-30T01:38:36Z https://community.splunk.com/t5/Splunk-Dev/How-do-I-translate-a-GUI-search-query-into-a-python-API-query/m-p/432979#M7771 <P>newbie question...<BR /> I'd like to know the appropriate Python API syntax for the following GUI query:</P> <BLOCKQUOTE> <P>source="/var/log/my-test.log" index="testing" sourcetype="_json"</P> </BLOCKQUOTE> <P>I get a good set of results running it in the GUI but I'm always getting 0 results from the API. I'm working off the API docs with the following base code:</P> <BLOCKQUOTE> <P>kwargs_blockingsearch = {"exec_mode": "blocking"}<BR /> searchquery_blocking = "search * | head 10"<BR /> job = jobs.create(searchquery_blocking, **kwargs_blockingsearch)<BR /> so...<BR /> what's the correct syntax for replacing "search *|head 10" with my query?</P> </BLOCKQUOTE> Wed, 30 Sep 2020 01:38:36 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-I-translate-a-GUI-search-query-into-a-python-API-query/m-p/432979#M7771 lfast12 2020-09-30T01:38:36Z https://community.splunk.com/t5/Splunk-Dev/How-do-I-translate-a-GUI-search-query-into-a-python-API-query/m-p/432980#M7772 <P>@lfast12 </P> <P>Just replace it with your search.</P> <P><CODE>searchquery_blocking = 'search source="/var/log/my-test.log" index="testing" sourcetype="_json" '</CODE> </P> <P>OR</P> <P><CODE>searchquery_blocking = "search source=\"/var/log/my-test.log\" index=\"testing\" sourcetype=\"_json\" '</CODE> </P> <P>Check section <STRONG>To create a blocking search and display properties of the job</STRONG> in below link.</P> <P><A href="http://dev.splunk.com/view/python-sdk/SP-CAAAEE5">http://dev.splunk.com/view/python-sdk/SP-CAAAEE5</A></P> Tue, 06 Aug 2019 04:39:43 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-I-translate-a-GUI-search-query-into-a-python-API-query/m-p/432980#M7772 kamlesh_vaghela 2019-08-06T04:39:43Z https://community.splunk.com/t5/Splunk-Dev/How-do-I-translate-a-GUI-search-query-into-a-python-API-query/m-p/432981#M7773 <P>Thanks Kamlesh,<BR /> That didn't work but it put me on the right track. Here's what finally worked:</P> <BLOCKQUOTE> <P>kwargs_blockingsearch = {"exec_mode": "blocking"}<BR /> searchquery_blocking = 'search source="/var/log/splunk-test.log" index="testing" sourcetype="_json"'<BR /> job = jobs.create(searchquery_blocking, **kwargs_blockingsearch)</P> </BLOCKQUOTE> <P>The only difference is prefixing your suggestion with 'search ...'</P> <P>Simple enough but when there are too many choices you can easily go down the wrong path. Thanks again.</P> Wed, 30 Sep 2020 01:38:48 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-I-translate-a-GUI-search-query-into-a-python-API-query/m-p/432981#M7773 lfast12 2020-09-30T01:38:48Z https://community.splunk.com/t5/Splunk-Dev/How-do-I-translate-a-GUI-search-query-into-a-python-API-query/m-p/432982#M7774 <P>@lfast12</P> <P>Yes. I missed adding the <CODE>search</CODE> command. Updated answer. When we execute any search from Python or CURL we need to add <CODE>search</CODE> initially which is not required in GUI. Please upvote and accept this answer if it helps you.</P> <P>Thanks</P> Tue, 06 Aug 2019 06:31:26 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-I-translate-a-GUI-search-query-into-a-python-API-query/m-p/432982#M7774 kamlesh_vaghela 2019-08-06T06:31:26Z