Hello,

I am interacting with splunk through the API (more specifically I use the search.py from the SDK).
I have a set of rules that I would like to run. Those rules have different field names than the ones I use on my Splunk.
For example one of the rules I have, searches if the dst_port="4242", but my parsing on my Splunk is made differently. I have named that specific field destination_port and not dst_port. The search is therefore failing and finds 0 results. But when running multiple rules it is impossible to understand if the search returns 0 results because the field does exist or because it simply did not found anything.

I want to run multiple searches (around 200+), and force Splunk to indicate me if (for one specific search) it could not find any results BECAUSE the field(s) I am searching does not exist.

This is an example of how i perform one simple search:

search.py --verbose=1 --config=mySplunkrc.conf "search index=main host=debian"

Results:

<results preview='0'/>

This happens because my field is named Host and not host. Although not possible to understand if I found 0 because it could not find the field named "host".

Do you have a solution ?

Thank you for your time.
SRJ