Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searches using the Python SDK and REST API always returning ""

ntomczek
New Member
‎05-31-2017 01:37 PM

I am new to Splunk's SDK and REST API. I'm trying to match a simple query I'm running via the UI (The App is "Search", the query is simply "error", and the duration is "Last 24 hours"). When I run the query I typically get between 300 and 400 results. I'm running the below query using the Python SDK

searchquery_normal = "search error"
kwargs_normalsearch = {"exec_mode": "normal",
                       "earliest_time": "-24h",
                       "latest_time": "now",
                       "namespace": "search"}

job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)

Pulled the code straight from the Splunk examples here (http://dev.splunk.com/view/python-sdk/SP-CAAAEE5 under the "To create a normal search, poll for completion, and display results" section) I just changed the arguments. The query completes and the log information does not show any errors, but when I look at the results that is returned is:

<?xml version="1.0"?>
<results preview="0"/>

The sample code I'm using does have a process to wait for the job to complete. I've also created other versions of the query that point directly to the Splunk REST API but those return the same results as above. I have no clue what I need to look into next to try and solve this so any ideas are greatly appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎05-31-2017 03:38 PM

Have you tried adding an explicit index= to your search? Are you authenticated via the API with the same credentials you use with the web UI?

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎05-31-2017 03:38 PM

Have you tried adding an explicit index= to your search? Are you authenticated via the API with the same credentials you use with the web UI?

Reply
Solved! Jump to solution

ntomczek
New Member
‎05-31-2017 04:00 PM

I was authenticated to the API and UI with the same creds but I just added an explicit index to the search and I get results back! Thanks for the help!

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎05-31-2017 06:03 PM

@ntomczek - I just converted micahkemp's comment to an answer. Please "Accept" the answer to close out your question. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
li.common.scroll-to.top