Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Search - Report on non-existing fields [API]

srj
New Member
‎04-11-2019 01:58 AM

Hello,

I am interacting with splunk through the API (more specifically I use the search.py from the SDK).
I have a set of rules that I would like to run. Those rules have different field names than the ones I use on my Splunk.
For example one of the rules I have, searches if the dstport="4242", but my parsing on my Splunk is made differently. I have named that specific field destinationport and not dst_port. The search is therefore failing and finds 0 results. But when running multiple rules it is impossible to understand if the search returns 0 results because the field does exist or because it simply did not found anything.

I want to run multiple searches (around 200+), and force Splunk to indicate me if (for one specific search) it could not find any results BECAUSE the field(s) I am searching does not exist.

This is an example of how i perform one simple search:

search.py --verbose=1 --config=mySplunkrc.conf "search index=main host=debian"

Results:

<results preview='0'/>

This happens because my field is named Host and not host. Although not possible to understand if I found 0 because it could not find the field named "host".

Do you have a solution ?

Thank you for your time.
SRJ

0 Karma
Reply