Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to execute a search and extract fields from _raw using Splunk's REST API?

ronak
Path Finder
‎01-24-2015 08:35 AM

Ref : http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT

End business Need

  1. Using REST API, execute the search
  2. Input data to some external program to render the results using external charting library and print the results as PDF
  3. Schedule the program in #2, so that it runs every 24 hours

Current State

I've been able to write a python program and make it work in my environment that executes the search and produces results. I used http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT as reference

Issues

  1. The results I get are as shown in following record. How do I get the fields of _raw ? Meaning, what does each value of _raw mean - how do I get that information ? I'm printing output as JSON and was hoping to see something like "_time:value, service_type=Delivery, user_ud=some value, name=yachut bhatt ...."

  2. How do I pass the parameters to search so that the searching is restricted to FROM DATE and TO DATE, PLUS other filter like CLIENT_ID=10 etc..

Any pointers will be greatly appreciated

{"preview":false,"offset":9,"lastrow":true,"result":{"_bkt":"test_order_csv_sample~0~76DA16A5-7E06-4EAA-AFD7-A0266F5D694C","_cd":"0:24","_indextime":"1421442304","**_raw**":"391,6/10/14 18:01,Delivery,,af0efa8e-dac1-11e3-b0a0-02b794fe8073,yachut bhatt,4f41c60e-c3c2-48b1-8c32-15e2427bcf70,7/21/14 21:45,cancelled,,,,,0,0,,55,,,,,,,,af0f03f8-dac1-11e3-b0a0-02b794fe8073,,10/13/14 18:55,0,,,0","_serial":"9","_si":["Ronaks-MacBook-Air.local","test_order_csv_sample"],"_sourcetype":"order_sample_test_csv","_time":"2014-06-10 18:01:00.000 PDT","host":"Ronaks-MacBook-Air.local","index":"test_order_csv_sample","linecount":"1","source":"order_sample.csv","sourcetype":"order_sample_test_csv","splunk_server":"Ronaks-MacBook-Air.local"}}
0 Karma
Reply

abhijitmishra
Explorer
‎01-24-2015 04:06 PM

You are probably running a search which spits out the raw data.

First Issue

I would recommend appending | format to your query.
For example, if your current query was 

index=flower_shop sourcetype=errors source=folder/myflowerlog.txt

Edit it to make it 

index=flower_shop sourcetype=errors source=folder/myflowerlog.txt | format

That should fix your first issue.

Second Issue

Parameters need to be sent in the query

index=flower_shop sourcetype=errors source=folder/myflowerlog.txt earliest=-60m@m latest=-10m@m| format

For splunk document reference click here

0 Karma
Reply

ronak
Path Finder
‎01-25-2015 08:32 AM

Hi Abhijit

Thanks for the reply..The format does add the field name ..results look like below..while much better than not having field names, I'm confused as to why it adss "AND" instead of simply "assigned_dealy=0, bumped_delay=0, user_name=John Paul ....

Any idea?

Search Query ===> search index=* source=order_sample.csv timeformat=%m/%d/%Y:%H:%M:%S earliest=6/10/2014:00:00:00 latest=11/12/2014:20:00:00 | head 1 | format
Session Key: dNF2ZwLLIb0pHufRgsAkHxEK6VNid^UmtkDnb^VbiSE_jF9cJiOaeayd4_55iQRjAqxMfG2JbQqjpj^ho28HtTB3NCOvlv4toP650z4ZMAN
{"preview":false,"offset":0,"lastrow":true,"result":{"search":"( ( assigned_delay=\"0\" AND bumped_delay=\"0\" AND created_at=\"6/10/14 19:40\" AND date_hour=\"19\" AND date_mday=\"10\" AND date_minute=\"40\" AND date_month=\"june\" AND date_wday=\"tuesday\" AND date_year=\"2014\" AND date_zone=\"local\" AND device_uuid=\"2024566a-e076-11e3-af94-064e6bca6ab8\" AND eventtype=\"test_rb\" AND host=\"Ronaks-MacBook-}}

0 Karma
Reply

abhijitmishra
Explorer
‎01-26-2015 02:33 PM

Values separated by AND in a bracket belong to one search result. When multiple results are obtained, you would see and OR separating two different search result.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...