Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Python SDK: Mismatch Results

kavithaisplunk
New Member
‎02-21-2019 12:24 AM

I am using Splunk Python SDK to run series of splunk queries. Recently encountered an issue, results from SDK and manually running query on the Web yields different results. All I am trying to do is run a simple query to get the count for a particular timeframe(index=xxx | stats count). I see SDK query result count is short of 1 million than the one executed manually. I did verify the timeframe is same in both the case. Could someone shed some light?

Labels (2)
Labels
0 Karma
Reply

raduurjan
Explorer
‎12-11-2019 05:47 AM

Try adding the following arguments in the kwargs dictionary:

"count" : 0

This will not limit your results if a limit exists somewhere.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-21-2019 05:53 AM

Please post both the manual search and the code used with the sdk to create the search via API.

Please be sure the user executing the search is the same.

Please verify the job properties match between both jobs. (Open splunk UI -> Activity -> Jobs -> find your job -> click job drop down -> inspect job)

0 Karma
Reply

kavithaisplunk
New Member
‎02-21-2019 07:21 AM

I am exactly doing the same as below.. Running the same query manually I get 5 Million as Total count but running through the below code returns only 4 Million as Total count.

import splunklib.results as results

kwargs_oneshot = {"earliest_time": "2014-06-19T12:00:00.000-07:00",
"latest_time": "2014-06-20T12:00:00.000-07:00"}
searchquery_oneshot = "index=SearcherIndex NOT "health" | stats count"

oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)

Get the results and display them using the ResultsReader

reader = results.ResultsReader(oneshotsearch_results)
for item in reader:
print(item)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...