Developing for Splunk Enterprise

Real time search of _audit using Python SDK

Engager

Using the follow.py example script, I get no events when searching using 'index=_audit action=alert_fired'. When I run this search I can go into 'Jobs' and watch it from the GUI and see records returned, but they are not displayed from the python script.

Other searches work as expected (like 'index=_audit action=search'), but the alert_fired action returns no events.

The only difference I can find is searches that return events to the Python script show a '< results preview='0'/>' while the alert_fired returns '< results preview='1'/>'.

0 Karma

Splunk Employee
Splunk Employee

< results preview='1'/> means there are no events that match that search criteria. It is surprising that you notice events when you look at it from Jobs from the UI.

follow.py example uses 'rt' for both earliest and latest time boundaries. Can you try and run the same search (index=_audit action=search) from the UI with time dropdown set to All time (real-time) and see whether that returns any events?

0 Karma

Engager

From the UI, 'index=_audit action=alert_fired' works as expected. I'm not having any problems if I use action=search (from either my Python script or the UI). I applied 5.0.3 this morning and my symptoms have slightly changed. Now, when I run my script that starts the real time search I still get no results (as before), but if I go into 'Jobs' and click on the link to take me to that in progress search it shows events incrementing but I don't see the actual alert text displayed. With 5.0.2 I would see the text.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!