Getting Data In
Highlighted

Fields missing only when queried via SDK / Rest API

Explorer

I have a query to average out the performance of requests each individual server for the last one minutes, as follows:

index=iis earliest=-1m host=group1_* OR host=group2_*  | STATS avg(time_taken) as Value BY host | EVAL counter="Server Response Time" | fields + host, Value, counter

This works fine via the Splunk Web/UI but the exact same query yields no "Value" column when submitted via the SDK.

So this query returns exactly what I want/expect via Splunk web access: three columns: one for the host/server name, one for the average of the time_taken fields for that host, and one column containing the literal "Server Response Time", just so that the client code that I'm writing (via the Splunk C# SDK v2.0.0) can distinguish the results of this query from other queries.

However, I can't get the REST API to return any values for for the "Value" column. I've mimicked the code sample from the C# SDK found in root\examples\normal-search\Program.cs, using the example of the "Pull Model" code sample.

And my code works fine for other Splunk queries; just not this query with the "STATS avg(...)" clause.

Interestingly, the Splunk.Client.SearchResult object does have an entry in its .FieldNames collection named "Value", but the dynamic object itself never has a .Value property, nor can I find anything resembling the Value column I see just fine when running the same query within the Web/UI. I can however find all other columns in the dynamic object.

Additionally, I looked at the request to the REST API itself and it appears as though the "Value" field is defined differently than the other fields, "host" and "counter", but I cannot understand the reasons why.

<?xml version='1.0' encoding='UTF-8'?>
<results preview='0'>
<meta>
<fieldOrder>
<field groupby_rank="0">host</field>
<field>Value</field>
<field type="str">counter</field>
</fieldOrder>
</meta>
    <result offset='0'>
        <field k='host'>
            <value h='1'><text>[redacted]</text></value>
        </field>
        <field k='counter'>
            <value><text>Server Response Time</text></value>
        </field>
    </result>
    <result offset='1'>
        <field k='host'>
            <value h='1'><text>[redacted]</text></value>
        </field>
        <field k='counter'>
            <value><text>Server Response Time</text></value>
        </field>
    </result>

and so on.

Thank you in advance for any help!

Tags (3)
0 Karma
Highlighted

Re: Fields missing only when queried via SDK / Rest API

Builder

Have you tried using some other name instead of Value (say avgtimetaken or so)?

0 Karma
Highlighted

Re: Fields missing only when queried via SDK / Rest API

Explorer

That's a good idea to try. Unfortunately "Foo" doesn't work either, as in: index=iis earliest=-1m host=group1* OR host=group2** | STATS avg(time_taken) as Foo BY host | EVAL counter="Server Response Time" | fields + host, Foo, counter
My guess is that something to do with "STATS" or "avg" or the piping is preventing the field from being returned, but I haven't been able to figure out how to overcome.

0 Karma
Highlighted

Re: Fields missing only when queried via SDK / Rest API

Builder

Check the field extract permissions and if the scope is defined as app or global... try to make it "global" and accessible to everybody.

0 Karma
Highlighted

Re: Fields missing only when queried via SDK / Rest API

Explorer

It did indeed turn out to be a permissions issue. If you like, make this into a full answer and I will gladly accept it. Either way, thanks!

0 Karma
Highlighted

Re: Fields missing only when queried via SDK / Rest API

New Member

Could you show me how to define the scope as global? Thanks so much!

0 Karma
Highlighted

Re: Fields missing only when queried via SDK / Rest API

Builder

Check the field extract permissions and if the scope is defined as app or global... try to make it "global" and accessible to everybody.

View solution in original post

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.