Hi, bit of background information. I have a splunk enterprise server and I'm working on writing a script to search stuff for data I want to pull from it. (Using python 3 with Splunk SDK (Splunklib.client, Splunklib.requests))

The way I am currently doing it is that we have an audit viewer which can be used to run a search, this viewer for example also shows the query string, so I am using the same query string when I use my script. The problem is say I run search on my audit viewer, I'll get two results back, but when I use the exact same string, I get like 12k lines of results back, which I'm not sure is relevant or not.

This is how I am running the search atm:

def start():
    # Connect to splunk servers.
    login()
    # Get input of various search parameters.
    query = input("Enter query string, you can create it using the audit viewer: ")
    query = "search " + query
    # Get results and start getting them.
    f = open("output.txt", 'w')
    rr = results.ResultsReader(service.jobs.export(query))
    for result in rr:
        if isinstance(result, results.Message):
            # Diagnostic messages may be returned in the results
            print(result.type, result.message)
        elif isinstance(result, dict):
            # Normal events are returned as dicts
            print(result, file = f)
    assert rr.is_preview == False
    f.close()

And my file prints out a ton of OrderedDicts of information that seems to me shouldn't be there.

So how do I make sure I only get the results which I perceive is the correct amount (the online viewer)? And lastly I would like to use this results to get the GUID, which I can use to get the payload for the events, how do I accomplish that?

Thanks