how to get event string from ResultsReader (python...

rgrimsha · ‎02-10-2013

I am following the documentation example except I am searching for syslog data. i.e. DHCPRELEASE
and the results I get from ResultsReader include the time, server etc - everything except the data string i.e. the MacAddress that released. How can I get the syslog string data for the event? Thank you.

dart · ‎02-11-2013

The _raw field is the event text.

bradp123 · ‎08-24-2013

@rgrimsha, I am also getting a truncated _raw field in my results. Did you figure out how to get the full line of text back with the python SDK? It seems the text is truncated after the word in my search query.

rgrimsha · ‎02-12-2013

Looking a little deeper, the data is correctly being returned in the query. it is being truncated by the results.ResultsReader function used in the example. The returned data looks a little like this (sanitized) Feb 12 13:50:13 hostname dhcpd: DHCPRELEASE of 123.456.789.321 from 22:33:44:55:66:77 via eth0 (found)
but the ResultsReader stops before the <sg for the _raw field.

rgrimsha · ‎02-12-2013

Thank you, I do see the _raw fieldname and some data... but it is truncated to only show the timestamp server and application portion.

how to get event string from ResultsReader (python)

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!