Developing for Splunk Enterprise

real-time search using python SDK export command


so here is my code:


import splunklib.client as client
import splunklib.results as results

job_kwargs = {"search_mode": "realtime", "earliest_time": "rt", "latest_time": "rt"}
for item in, **job_kwargs):
    if isinstance(item, results.Message):


when I'm trying to run this code with a general query


query="search index=main"


It’s working properly.
but if I’m trying with


query="search `notable` | eval rule_name=if(isnull(rule_name),source,rule_name) | eval rule_title=if(isnull(rule_title),rule_name,rule_title) | `get_urgency` | `risk_correlation` | eval rule_description=if(isnull(rule_description),source,rule_description) | eval security_domain=if(isnull(security_domain),source,security_domain)"


I get a lot of events that I cannot see in the regular search.
also, I get almost every multiple times with a little change (such as dest_ip= anddest_ip= and a part of them are even identical.

note when I’m trying to test it I found that I have on average 9 events in 5 min but when I’m using the real-time search I get almost 130 on average.

Labels (4)


I am facing a similar problem.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!