Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searches using the Python SDK and REST API always returning ""

ntomczek
New Member
‎05-31-2017 01:37 PM

I am new to Splunk's SDK and REST API. I'm trying to match a simple query I'm running via the UI (The App is "Search", the query is simply "error", and the duration is "Last 24 hours"). When I run the query I typically get between 300 and 400 results. I'm running the below query using the Python SDK

searchquery_normal = "search error"
kwargs_normalsearch = {"exec_mode": "normal",
                       "earliest_time": "-24h",
                       "latest_time": "now",
                       "namespace": "search"}

job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)

Pulled the code straight from the Splunk examples here (http://dev.splunk.com/view/python-sdk/SP-CAAAEE5 under the "To create a normal search, poll for completion, and display results" section) I just changed the arguments. The query completes and the log information does not show any errors, but when I look at the results that is returned is:

<?xml version="1.0"?>
<results preview="0"/>

The sample code I'm using does have a process to wait for the job to complete. I've also created other versions of the query that point directly to the Splunk REST API but those return the same results as above. I have no clue what I need to look into next to try and solve this so any ideas are greatly appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎05-31-2017 03:38 PM

Have you tried adding an explicit index= to your search? Are you authenticated via the API with the same credentials you use with the web UI?

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎05-31-2017 03:38 PM

Have you tried adding an explicit index= to your search? Are you authenticated via the API with the same credentials you use with the web UI?

Reply
Solved! Jump to solution

ntomczek
New Member
‎05-31-2017 04:00 PM

I was authenticated to the API and UI with the same creds but I just added an explicit index to the search and I get results back! Thanks for the help!

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎05-31-2017 06:03 PM

@ntomczek - I just converted micahkemp's comment to an answer. Please "Accept" the answer to close out your question. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
li.common.scroll-to.top