Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Python SDK: Why do search results not contain keys for all fields?

CraigAtNuna
Explorer
‎01-06-2016 10:13 PM

I'm retrieving DNS lookup log results from Splunk using the Python SDK. One of the fields present in the log is the domain. The search returns an OrderedDict for each entry, but looking at the keys in the dict some fields (like domain) are not present. The search string is simple: search index=dnslog | tail 1. 

    blocksearch_results = splunk_job.results(**kwargs_paginate)

    for result in results.ResultsReader(blocksearch_results):
        print result['domain']  # Doesn't work - no such key

In Splunk Web, 'domain' is one of the 'interesting fields'. I can see the domain value as part of result['_raw'], but digging it out of there is not the right way to go.

How do I get the dict to contain key/value pairs for all fields?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kbarker302
Communicator
‎01-07-2016 09:55 AM

You may need to use the fields option like this and explicitly name the fields you want:

search index=dnslog | fields domain field2 field3 | tail 1

I am not using the SDK, but I do have a Python script that executes a search using the REST API. If I don't specify fields, then I just get _raw in the response (I don't even get any interesting fields.) But I do get back as separate key/value pairs anything I ask for using fields.

View solution in original post

Reply
Solved! Jump to solution
Solution

kbarker302
Communicator
‎01-07-2016 09:55 AM

You may need to use the fields option like this and explicitly name the fields you want:

search index=dnslog | fields domain field2 field3 | tail 1

I am not using the SDK, but I do have a Python script that executes a search using the REST API. If I don't specify fields, then I just get _raw in the response (I don't even get any interesting fields.) But I do get back as separate key/value pairs anything I ask for using fields.

Reply
Solved! Jump to solution

arkadyz1
Builder
‎03-17-2016 12:07 PM

Did not work for me, alas. The reason might lie in the fact that all of the fields listed in my | fields pipe are aliased or calculated. Curiouser yet, I have this | fields <some field name>, <field name>, ... | fields -_rawfilter after my initial search, but the results don't have any of the fields while returning _raw just fine :(.

0 Karma
Reply
Solved! Jump to solution

CraigAtNuna
Explorer
‎01-07-2016 11:47 AM

That works! You should post this as the answer!

Reply
Solved! Jump to solution

kbarker302
Communicator
‎01-07-2016 12:01 PM

Thanks - actually, can you mark my comment as the answer? (There should be an option for that, maybe under the gear icon.)

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎01-08-2016 04:57 PM

I converted for you 🙂 Cheers!

Patrick

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...