Re: how to get event string from ResultsReader (py...

rgrimsha · ‎02-10-2013

I am following the documentation example except I am searching for syslog data. i.e. DHCPRELEASE
and the results I get from ResultsReader include the time, server etc - everything except the data string i.e. the MacAddress that released. How can I get the syslog string data for the event? Thank you.

dart · ‎02-11-2013

The _raw field is the event text.

bradp123 · ‎08-24-2013

@rgrimsha, I am also getting a truncated _raw field in my results. Did you figure out how to get the full line of text back with the python SDK? It seems the text is truncated after the word in my search query.

rgrimsha · ‎02-12-2013

Looking a little deeper, the data is correctly being returned in the query. it is being truncated by the results.ResultsReader function used in the example. The returned data looks a little like this (sanitized) Feb 12 13:50:13 hostname dhcpd: DHCPRELEASE of 123.456.789.321 from 22:33:44:55:66:77 via eth0 (found)
but the ResultsReader stops before the <sg for the _raw field.

rgrimsha · ‎02-12-2013

Thank you, I do see the _raw fieldname and some data... but it is truncated to only show the timestamp server and application portion.

how to get event string from ResultsReader (python)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Join the Conversation