Ref : http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT
End business Need
Current State
I've been able to write a python program and make it work in my environment that executes the search and produces results. I used http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT as reference
Issues
The results I get are as shown in following record. How do I get the fields of _raw ? Meaning, what does each value of _raw mean - how do I get that information ? I'm printing output as JSON and was hoping to see something like "_time:value, service_type=Delivery, user_ud=some value, name=yachut bhatt ...."
How do I pass the parameters to search so that the searching is restricted to FROM DATE and TO DATE, PLUS other filter like CLIENT_ID=10 etc..
Any pointers will be greatly appreciated
{"preview":false,"offset":9,"lastrow":true,"result":{"_bkt":"test_order_csv_sample~0~76DA16A5-7E06-4EAA-AFD7-A0266F5D694C","_cd":"0:24","_indextime":"1421442304","**_raw**":"391,6/10/14 18:01,Delivery,,af0efa8e-dac1-11e3-b0a0-02b794fe8073,yachut bhatt,4f41c60e-c3c2-48b1-8c32-15e2427bcf70,7/21/14 21:45,cancelled,,,,,0,0,,55,,,,,,,,af0f03f8-dac1-11e3-b0a0-02b794fe8073,,10/13/14 18:55,0,,,0","_serial":"9","_si":["Ronaks-MacBook-Air.local","test_order_csv_sample"],"_sourcetype":"order_sample_test_csv","_time":"2014-06-10 18:01:00.000 PDT","host":"Ronaks-MacBook-Air.local","index":"test_order_csv_sample","linecount":"1","source":"order_sample.csv","sourcetype":"order_sample_test_csv","splunk_server":"Ronaks-MacBook-Air.local"}}
You are probably running a search which spits out the raw data.
I would recommend appending | format
to your query.
For example, if your current query was
index=flower_shop sourcetype=errors source=folder/myflowerlog.txt
Edit it to make it
index=flower_shop sourcetype=errors source=folder/myflowerlog.txt | format
That should fix your first issue.
Parameters need to be sent in the query
index=flower_shop sourcetype=errors source=folder/myflowerlog.txt earliest=-60m@m latest=-10m@m| format
For splunk document reference click here
Hi Abhijit
Thanks for the reply..The format does add the field name ..results look like below..while much better than not having field names, I'm confused as to why it adss "AND" instead of simply "assigned_dealy=0, bumped_delay=0, user_name=John Paul ....
Any idea?
Search Query ===> search index=* source=order_sample.csv timeformat=%m/%d/%Y:%H:%M:%S earliest=6/10/2014:00:00:00 latest=11/12/2014:20:00:00 | head 1 | format
Session Key: dNF2ZwLLIb0pHufRgsAkHxEK6VNid^UmtkDnb^VbiSE_jF9cJiOaeayd4_55iQRjAqxMfG2JbQqjpj^ho28HtTB3NCOvlv4toP650z4ZMAN
{"preview":false,"offset":0,"lastrow":true,"result":{"search":"( ( assigned_delay=\"0\" AND bumped_delay=\"0\" AND created_at=\"6/10/14 19:40\" AND date_hour=\"19\" AND date_mday=\"10\" AND date_minute=\"40\" AND date_month=\"june\" AND date_wday=\"tuesday\" AND date_year=\"2014\" AND date_zone=\"local\" AND device_uuid=\"2024566a-e076-11e3-af94-064e6bca6ab8\" AND eventtype=\"test_rb\" AND host=\"Ronaks-MacBook-}}
Values separated by AND in a bracket belong to one search result. When multiple results are obtained, you would see and OR separating two different search result.