Splunk Dev

Too many possible results returned for search?

moe786
Explorer

Hi, bit of background information. I have a splunk enterprise server and I'm working on writing a script to search stuff for data I want to pull from it. (Using python 3 with Splunk SDK (Splunklib.client, Splunklib.requests))

The way I am currently doing it is that we have an audit viewer which can be used to run a search, this viewer for example also shows the query string, so I am using the same query string when I use my script. The problem is say I run search on my audit viewer, I'll get two results back, but when I use the exact same string, I get like 12k lines of results back, which I'm not sure is relevant or not.

This is how I am running the search atm:

def start():
    # Connect to splunk servers.
    login()
    # Get input of various search parameters.
    query = input("Enter query string, you can create it using the audit viewer: ")
    query = "search " + query
    # Get results and start getting them.
    f = open("output.txt", 'w')
    rr = results.ResultsReader(service.jobs.export(query))
    for result in rr:
        if isinstance(result, results.Message):
            # Diagnostic messages may be returned in the results
            print(result.type, result.message)
        elif isinstance(result, dict):
            # Normal events are returned as dicts
            print(result, file = f)
    assert rr.is_preview == False
    f.close()

And my file prints out a ton of OrderedDicts of information that seems to me shouldn't be there.

So how do I make sure I only get the results which I perceive is the correct amount (the online viewer)? And lastly I would like to use this results to get the GUID, which I can use to get the payload for the events, how do I accomplish that?

Thanks

0 Karma
1 Solution

moe786
Explorer

I realized that this is simply an issue with my query string pulling date/time data from JavaScript, and thus isn't accounted for when I copy paste the string. This leads to it getting all possible results it can.

View solution in original post

0 Karma

moe786
Explorer

I realized that this is simply an issue with my query string pulling date/time data from JavaScript, and thus isn't accounted for when I copy paste the string. This leads to it getting all possible results it can.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...