https://community.splunk.com/t5/Getting-Data-In/Splunk-API-Output-Fields/m-p/463059#M79937 <P>Some More Details:</P> <P>When I am outputting the search from Splunk UI I am getting following fields:</P> <P>_raw,_time,<BR /> app,appId,<BR /> correlationId,<BR /> eventtype,<BR /> host,<BR /> index,<BR /> items.<BR /> access_type,<BR /> items.article_id,<BR /> items.data.fed_id,<BR /> items.eventType,<BR /> items.fed_id,<BR /> items.institution_id,<BR /> items.journal_id,<BR /> items.logLevel,<BR /> items.referer_url,<BR /> items.request_date,<BR /> items.request_method,<BR /> items.resource_type,<BR /> items.session_id,<BR /> items.status_code,<BR /> items.time,<BR /> items.url,<BR /> items.userIp,<BR /> items.user_agent,<BR /> items.user_id,<BR /> items.user_name,<BR /> level,<BR /> linecount,<BR /> message,<BR /> product,<BR /> punct,<BR /> source,<BR /> sourcetype,<BR /> splunk_server,<BR /> splunk_server_group,<BR /> tag,tag::eventtype,vendor</P> <P>What I am getting output of Splunk API the structure includes only a subset of fields which is:</P> <P>_serial<BR /> _time<BR /> source<BR /> sourcetype<BR /> host<BR /> index<BR /> splunk_server<BR /> _raw</P> <P>I would greatly appreciate how to mimic the Splunk UI output with Splunk API. Your help would be greatly appreciated.</P> Wed, 30 Sep 2020 04:48:55 GMT zqureshi 2020-09-30T04:48:55Z https://community.splunk.com/t5/Getting-Data-In/Splunk-API-Output-Fields/m-p/463058#M79936 <P>Hello All, when I am using the Splunk API I am getting different fields as compared to the Splunk UI. How can we get similar results (fields) as we are able to get from Splunk UI. I have tried the "rf" attribute also but no luck.</P> <P>This is the call:</P> <PRE><CODE>curl -k -u u:p <A href="https://splunk:8089/servicesNS/admin/search/search/jobs/export" target="test_blank">https://splunk:8089/servicesNS/admin/search/search/jobs/export</A> --data-urlencode search="search index=node message="j-report" appId=\"static--logger\" items.data.f_id != \"\" OR items.inst_id!= \"\" earliest=03/30/2020:0:0:0 latest=03/31/2020:0:0:0" -d rf=* -d output_mode=csv -o test.csv </CODE></PRE> Thu, 02 Apr 2020 02:42:13 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-API-Output-Fields/m-p/463058#M79936 zqureshi 2020-04-02T02:42:13Z https://community.splunk.com/t5/Getting-Data-In/Splunk-API-Output-Fields/m-p/463059#M79937 <P>Some More Details:</P> <P>When I am outputting the search from Splunk UI I am getting following fields:</P> <P>_raw,_time,<BR /> app,appId,<BR /> correlationId,<BR /> eventtype,<BR /> host,<BR /> index,<BR /> items.<BR /> access_type,<BR /> items.article_id,<BR /> items.data.fed_id,<BR /> items.eventType,<BR /> items.fed_id,<BR /> items.institution_id,<BR /> items.journal_id,<BR /> items.logLevel,<BR /> items.referer_url,<BR /> items.request_date,<BR /> items.request_method,<BR /> items.resource_type,<BR /> items.session_id,<BR /> items.status_code,<BR /> items.time,<BR /> items.url,<BR /> items.userIp,<BR /> items.user_agent,<BR /> items.user_id,<BR /> items.user_name,<BR /> level,<BR /> linecount,<BR /> message,<BR /> product,<BR /> punct,<BR /> source,<BR /> sourcetype,<BR /> splunk_server,<BR /> splunk_server_group,<BR /> tag,tag::eventtype,vendor</P> <P>What I am getting output of Splunk API the structure includes only a subset of fields which is:</P> <P>_serial<BR /> _time<BR /> source<BR /> sourcetype<BR /> host<BR /> index<BR /> splunk_server<BR /> _raw</P> <P>I would greatly appreciate how to mimic the Splunk UI output with Splunk API. Your help would be greatly appreciated.</P> Wed, 30 Sep 2020 04:48:55 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-API-Output-Fields/m-p/463059#M79937 zqureshi 2020-09-30T04:48:55Z