topic Different events number while searching via python sdk in Splunk Search https://community.splunk.com/t5/Splunk-Search/Different-events-number-while-searching-via-python-sdk/m-p/560291#M159235 <P>Hi,</P><P>I am using python SDK to search with this configuration:</P><PRE>query_kwargs = {<SPAN>'earliest_time'</SPAN>: earliest<SPAN>,<BR /></SPAN> <SPAN>'latest_time'</SPAN>: latest<SPAN>,<BR /></SPAN> <SPAN>'results_preview'</SPAN>: <SPAN>False,<BR /></SPAN> <SPAN>'search_mode'</SPAN>: <SPAN>'normal'</SPAN><SPAN>,<BR /></SPAN> <SPAN>'status_buckets'</SPAN>: <SPAN>2<BR /></SPAN> }<BR />job =splunk_client.jobs.create(query<SPAN>, </SPAN>**query_kwargs)<BR /><BR /><STRONG>As the Splunk documentation (<A href="https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtorunsearchespython/)" target="_blank" rel="noopener">https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtorunsearchespython/)</A><BR /><BR />I do the follow:</STRONG><BR /><BR /><SPAN>while True</SPAN>:<BR /><SPAN>while not </SPAN>job.is_ready():<BR /><SPAN>pass<BR /></SPAN> stats = {<BR /><SPAN>'isDone'</SPAN>: job[<SPAN>'isDone'</SPAN>]<SPAN>,<BR /></SPAN> <SPAN>'doneProgress'</SPAN>: job[<SPAN>'doneProgress'</SPAN>]<SPAN>,<BR /></SPAN> <SPAN>'scanCount'</SPAN>: job[<SPAN>'scanCount'</SPAN>]<SPAN>,<BR /></SPAN> <SPAN>'eventCount'</SPAN>: job[<SPAN>'eventCount'</SPAN>]<SPAN>,<BR /></SPAN> <SPAN>'resultCount'</SPAN>: job[<SPAN>'resultCount'</SPAN>]<BR />}<BR /><BR />progress = <SPAN>float</SPAN>(stats[<SPAN>'doneProgress'</SPAN>])*<SPAN>100<BR /></SPAN> scanned = <SPAN>int</SPAN>(stats[<SPAN>'scanCount'</SPAN>])<BR />matched = <SPAN>int</SPAN>(stats[<SPAN>'eventCount'</SPAN>])<BR />result_count = <SPAN>int</SPAN>(stats[<SPAN>'resultCount'</SPAN>])<BR /><BR /><SPAN>if </SPAN>verbose:<BR />status = (<SPAN>"</SPAN><SPAN>\r</SPAN><SPAN>%03.1f%% | %d scanned | %d matched | %d results" </SPAN>% (progress<SPAN>, </SPAN>scanned<SPAN>, </SPAN>matched<SPAN>, </SPAN>result_count))<BR />sys.stdout.write(status)<BR />sys.stdout.flush()<BR /><BR /><SPAN>if </SPAN>job[<SPAN>"isDone"</SPAN>] == <SPAN>"1"</SPAN>:<BR /><SPAN>if </SPAN>verbose:<BR />sys.stdout.write(<SPAN>"</SPAN><SPAN>\n</SPAN><SPAN>"</SPAN>)<BR /><SPAN>break<BR /></SPAN> time.sleep(<SPAN>2</SPAN>)&nbsp;</PRE><P>Then once the job is finished I do this:</P><PRE>offset = <SPAN>0<BR /></SPAN>max_event_count = <SPAN>50000<BR /></SPAN><SPAN><BR /></SPAN>total_results = []<BR />first_50k_results = <SPAN>self</SPAN>.get_results(job<SPAN>, </SPAN>offset<SPAN>, </SPAN>max_event_count)<BR />total_results.extend(first_50k_results)<BR /><BR /><SPAN>while </SPAN>offset &lt;= number_of_results:<BR /> offset += max_event_count<BR /> intermediate_result = <SPAN>self</SPAN>.get_results(job<SPAN>, </SPAN>offset<SPAN>, </SPAN>max_event_count)<BR /> total_results.extend(intermediate_result)<BR /><BR /></PRE><PRE><SPAN>def </SPAN><SPAN>get_results</SPAN>(<SPAN>self</SPAN><SPAN>, </SPAN>job<SPAN>, </SPAN>offset<SPAN>, </SPAN>max_event_count):<BR /> logger.info(<SPAN>"collecting results,please wait . . "</SPAN>)<BR /> results_list = []<BR /> kwargs_paginate = {<SPAN>"count"</SPAN>: max_event_count<SPAN>, </SPAN><SPAN>"offset"</SPAN>: offset}<BR /> <SPAN>for </SPAN>result <SPAN>in </SPAN>results.ResultsReader(job.results(**kwargs_paginate)):<BR /> results_list.append(result)<BR /> <SPAN>return </SPAN>results_list</PRE><P>&nbsp;</P><P>The issue is that the number of events that the python search return is different from the number of events that the search in the Splunk console return.</P><P>Can you please advise what I am doing wrong?</P><P>Please note that I am using&nbsp;<SPAN>explicit index= in my search</SPAN></P><P>&nbsp;</P> Wed, 21 Jul 2021 13:35:47 GMT osnathy83 2021-07-21T13:35:47Z Different events number while searching via python sdk https://community.splunk.com/t5/Splunk-Search/Different-events-number-while-searching-via-python-sdk/m-p/560291#M159235 <P>Hi,</P><P>I am using python SDK to search with this configuration:</P><PRE>query_kwargs = {<SPAN>'earliest_time'</SPAN>: earliest<SPAN>,<BR /></SPAN> <SPAN>'latest_time'</SPAN>: latest<SPAN>,<BR /></SPAN> <SPAN>'results_preview'</SPAN>: <SPAN>False,<BR /></SPAN> <SPAN>'search_mode'</SPAN>: <SPAN>'normal'</SPAN><SPAN>,<BR /></SPAN> <SPAN>'status_buckets'</SPAN>: <SPAN>2<BR /></SPAN> }<BR />job =splunk_client.jobs.create(query<SPAN>, </SPAN>**query_kwargs)<BR /><BR /><STRONG>As the Splunk documentation (<A href="https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtorunsearchespython/)" target="_blank" rel="noopener">https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtorunsearchespython/)</A><BR /><BR />I do the follow:</STRONG><BR /><BR /><SPAN>while True</SPAN>:<BR /><SPAN>while not </SPAN>job.is_ready():<BR /><SPAN>pass<BR /></SPAN> stats = {<BR /><SPAN>'isDone'</SPAN>: job[<SPAN>'isDone'</SPAN>]<SPAN>,<BR /></SPAN> <SPAN>'doneProgress'</SPAN>: job[<SPAN>'doneProgress'</SPAN>]<SPAN>,<BR /></SPAN> <SPAN>'scanCount'</SPAN>: job[<SPAN>'scanCount'</SPAN>]<SPAN>,<BR /></SPAN> <SPAN>'eventCount'</SPAN>: job[<SPAN>'eventCount'</SPAN>]<SPAN>,<BR /></SPAN> <SPAN>'resultCount'</SPAN>: job[<SPAN>'resultCount'</SPAN>]<BR />}<BR /><BR />progress = <SPAN>float</SPAN>(stats[<SPAN>'doneProgress'</SPAN>])*<SPAN>100<BR /></SPAN> scanned = <SPAN>int</SPAN>(stats[<SPAN>'scanCount'</SPAN>])<BR />matched = <SPAN>int</SPAN>(stats[<SPAN>'eventCount'</SPAN>])<BR />result_count = <SPAN>int</SPAN>(stats[<SPAN>'resultCount'</SPAN>])<BR /><BR /><SPAN>if </SPAN>verbose:<BR />status = (<SPAN>"</SPAN><SPAN>\r</SPAN><SPAN>%03.1f%% | %d scanned | %d matched | %d results" </SPAN>% (progress<SPAN>, </SPAN>scanned<SPAN>, </SPAN>matched<SPAN>, </SPAN>result_count))<BR />sys.stdout.write(status)<BR />sys.stdout.flush()<BR /><BR /><SPAN>if </SPAN>job[<SPAN>"isDone"</SPAN>] == <SPAN>"1"</SPAN>:<BR /><SPAN>if </SPAN>verbose:<BR />sys.stdout.write(<SPAN>"</SPAN><SPAN>\n</SPAN><SPAN>"</SPAN>)<BR /><SPAN>break<BR /></SPAN> time.sleep(<SPAN>2</SPAN>)&nbsp;</PRE><P>Then once the job is finished I do this:</P><PRE>offset = <SPAN>0<BR /></SPAN>max_event_count = <SPAN>50000<BR /></SPAN><SPAN><BR /></SPAN>total_results = []<BR />first_50k_results = <SPAN>self</SPAN>.get_results(job<SPAN>, </SPAN>offset<SPAN>, </SPAN>max_event_count)<BR />total_results.extend(first_50k_results)<BR /><BR /><SPAN>while </SPAN>offset &lt;= number_of_results:<BR /> offset += max_event_count<BR /> intermediate_result = <SPAN>self</SPAN>.get_results(job<SPAN>, </SPAN>offset<SPAN>, </SPAN>max_event_count)<BR /> total_results.extend(intermediate_result)<BR /><BR /></PRE><PRE><SPAN>def </SPAN><SPAN>get_results</SPAN>(<SPAN>self</SPAN><SPAN>, </SPAN>job<SPAN>, </SPAN>offset<SPAN>, </SPAN>max_event_count):<BR /> logger.info(<SPAN>"collecting results,please wait . . "</SPAN>)<BR /> results_list = []<BR /> kwargs_paginate = {<SPAN>"count"</SPAN>: max_event_count<SPAN>, </SPAN><SPAN>"offset"</SPAN>: offset}<BR /> <SPAN>for </SPAN>result <SPAN>in </SPAN>results.ResultsReader(job.results(**kwargs_paginate)):<BR /> results_list.append(result)<BR /> <SPAN>return </SPAN>results_list</PRE><P>&nbsp;</P><P>The issue is that the number of events that the python search return is different from the number of events that the search in the Splunk console return.</P><P>Can you please advise what I am doing wrong?</P><P>Please note that I am using&nbsp;<SPAN>explicit index= in my search</SPAN></P><P>&nbsp;</P> Wed, 21 Jul 2021 13:35:47 GMT https://community.splunk.com/t5/Splunk-Search/Different-events-number-while-searching-via-python-sdk/m-p/560291#M159235 osnathy83 2021-07-21T13:35:47Z