Splunk Search

How to execute a search and extract fields from _raw using Splunk's REST API?

Path Finder

Ref : http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT

End business Need

  1. Using REST API, execute the search
  2. Input data to some external program to render the results using external charting library and print the results as PDF
  3. Schedule the program in #2, so that it runs every 24 hours

Current State

I've been able to write a python program and make it work in my environment that executes the search and produces results. I used http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT as reference


  1. The results I get are as shown in following record. How do I get the fields of _raw ? Meaning, what does each value of raw mean - how do I get that information ? I'm printing output as JSON and was hoping to see something like "time:value, servicetype=Delivery, userud=some value, name=yachut bhatt ...."

  2. How do I pass the parameters to search so that the searching is restricted to FROM DATE and TO DATE, PLUS other filter like CLIENT_ID=10 etc..

Any pointers will be greatly appreciated

{"preview":false,"offset":9,"lastrow":true,"result":{"_bkt":"test_order_csv_sample~0~76DA16A5-7E06-4EAA-AFD7-A0266F5D694C","_cd":"0:24","_indextime":"1421442304","**_raw**":"391,6/10/14 18:01,Delivery,,af0efa8e-dac1-11e3-b0a0-02b794fe8073,yachut bhatt,4f41c60e-c3c2-48b1-8c32-15e2427bcf70,7/21/14 21:45,cancelled,,,,,0,0,,55,,,,,,,,af0f03f8-dac1-11e3-b0a0-02b794fe8073,,10/13/14 18:55,0,,,0","_serial":"9","_si":["Ronaks-MacBook-Air.local","test_order_csv_sample"],"_sourcetype":"order_sample_test_csv","_time":"2014-06-10 18:01:00.000 PDT","host":"Ronaks-MacBook-Air.local","index":"test_order_csv_sample","linecount":"1","source":"order_sample.csv","sourcetype":"order_sample_test_csv","splunk_server":"Ronaks-MacBook-Air.local"}}
0 Karma


You are probably running a search which spits out the raw data.

First Issue

I would recommend appending | format to your query.
For example, if your current query was

index=flower_shop sourcetype=errors source=folder/myflowerlog.txt

Edit it to make it

index=flower_shop sourcetype=errors source=folder/myflowerlog.txt | format

That should fix your first issue.

Second Issue

Parameters need to be sent in the query

index=flower_shop sourcetype=errors source=folder/myflowerlog.txt earliest=-60m@m latest=-10m@m| format

For splunk document reference click here

0 Karma

Path Finder

Hi Abhijit

Thanks for the reply..The format does add the field name ..results look like below..while much better than not having field names, I'm confused as to why it adss "AND" instead of simply "assigneddealy=0, bumpeddelay=0, user_name=John Paul ....

Any idea?

Search Query ===> search index=* source=ordersample.csv timeformat=%m/%d/%Y:%H:%M:%S earliest=6/10/2014:00:00:00 latest=11/12/2014:20:00:00 | head 1 | format
Session Key: dNF2ZwLLIb0pHufRgsAkHxEK6VNid^UmtkDnb^VbiSE
{"preview":false,"offset":0,"lastrow":true,"result":{"search":"( ( assigned
delay=\"0\" AND bumpeddelay=\"0\" AND createdat=\"6/10/14 19:40\" AND datehour=\"19\" AND datemday=\"10\" AND dateminute=\"40\" AND datemonth=\"june\" AND datewday=\"tuesday\" AND dateyear=\"2014\" AND datezone=\"local\" AND deviceuuid=\"2024566a-e076-11e3-af94-064e6bca6ab8\" AND eventtype=\"test_rb\" AND host=\"Ronaks-MacBook-}}

0 Karma


Values separated by AND in a bracket belong to one search result. When multiple results are obtained, you would see and OR separating two different search result.

0 Karma