Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Real time search of _audit using Python SDK

jlentner
Engager
‎06-28-2013 12:37 PM

Using the follow.py example script, I get no events when searching using 'index=_audit action=alert_fired'. When I run this search I can go into 'Jobs' and watch it from the GUI and see records returned, but they are not displayed from the python script.

Other searches work as expected (like 'index=_audit action=search'), but the alert_fired action returns no events.

The only difference I can find is searches that return events to the Python script show a '< results preview='0'/>' while the alert_fired returns '< results preview='1'/>'.

0 Karma
Reply

Neeraj_Luthra
Splunk Employee
Splunk Employee
‎07-03-2013 10:23 AM

< results preview='1'/> means there are no events that match that search criteria. It is surprising that you notice events when you look at it from Jobs from the UI.

follow.py example uses 'rt' for both earliest and latest time boundaries. Can you try and run the same search (index=_audit action=search) from the UI with time dropdown set to All time (real-time) and see whether that returns any events?

0 Karma
Reply

jlentner
Engager
‎07-03-2013 12:35 PM

From the UI, 'index=_audit action=alert_fired' works as expected. I'm not having any problems if I use action=search (from either my Python script or the UI). I applied 5.0.3 this morning and my symptoms have slightly changed. Now, when I run my script that starts the real time search I still get no results (as before), but if I go into 'Jobs' and click on the link to take me to that in progress search it shows events incrementing but I don't see the actual alert text displayed. With 5.0.2 I would see the text.

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...