https://community.splunk.com/t5/Getting-Data-In/Why-am-I-unable-to-filter-a-saved-search-using-the-Splunk-Python/m-p/158276#M32084 <P>For what I know, you can't postprocess a job in Python SDK. But you can perform the search itself:</P> <PRE><CODE>import splunklib.client as client sp_con = client.connect(username='admin', password='password', host='127.0.0.1', scheme='https', port='8089', app='appname', autologin=True) query = """ | savedsearch "my_search" | search title="Elite Baller" person="me" | table * """ earliest = an_epoch_time latest = an_epoch_time rr = sp_con.jobs.oneshot(query, count=0, earliest_time=earliest, latest_time=latest) </CODE></PRE> <P>Remember to give correct app and username to your connection, or your saved search will be not visible to the script.</P> Thu, 16 Apr 2015 10:28:49 GMT marco_sulla 2015-04-16T10:28:49Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-unable-to-filter-a-saved-search-using-the-Splunk-Python/m-p/158275#M32083 <P>In the main Splunk interface, I can filter down on a saved search like this:</P> <PRE><CODE>| savedsearch "my_search" | search title="Elite Baller" person="me" | table * </CODE></PRE> <P>This will run my saved search, "my_search", and then filter down the results further.</P> <P>I'm trying to do the same thing in the SDK (Python), using the same saved search. But it's not working for me! I've tried many iterations:</P> <PRE><CODE>... # Load Saved Search saved_search = self.connect().saved_searches['my_search'] # Load Job if saved_search.history(): job = saved_search.history()[-1] else: job = saved_search.dispatch() # Poll API while True: job.refresh() if job['isDone'] == '1': break # Here's where I'm trying to filter down the search further search = '' # search_items['title'] = 'Elite Baller' # search_items['person'] = 'me' if len(search_items) &gt; 0: search += 'search ' for key, val in iteritems(search_items): search += '%s%%3D%s ' % (key, val) search = search[:-1] # trim trailing space job_kwargs['search'] = search # Fetch Result job_result = job.results(**job_kwargs) reader = results.ResultsReader(job_result) # ... iterate over reader ... # </CODE></PRE> <P>Anyway, I've tried every which way to build an argument list string and place it into job_kwargs, but no such luck.</P> <P>Am I missing something simple?</P> <P>Thanks!</P> Mon, 23 Feb 2015 23:33:48 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-unable-to-filter-a-saved-search-using-the-Splunk-Python/m-p/158275#M32083 photuris 2015-02-23T23:33:48Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-unable-to-filter-a-saved-search-using-the-Splunk-Python/m-p/158276#M32084 <P>For what I know, you can't postprocess a job in Python SDK. But you can perform the search itself:</P> <PRE><CODE>import splunklib.client as client sp_con = client.connect(username='admin', password='password', host='127.0.0.1', scheme='https', port='8089', app='appname', autologin=True) query = """ | savedsearch "my_search" | search title="Elite Baller" person="me" | table * """ earliest = an_epoch_time latest = an_epoch_time rr = sp_con.jobs.oneshot(query, count=0, earliest_time=earliest, latest_time=latest) </CODE></PRE> <P>Remember to give correct app and username to your connection, or your saved search will be not visible to the script.</P> Thu, 16 Apr 2015 10:28:49 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-unable-to-filter-a-saved-search-using-the-Splunk-Python/m-p/158276#M32084 marco_sulla 2015-04-16T10:28:49Z