Splunk Search

Searches using the Python SDK and REST API always returning ""

New Member

I am new to Splunk's SDK and REST API. I'm trying to match a simple query I'm running via the UI (The App is "Search", the query is simply "error", and the duration is "Last 24 hours"). When I run the query I typically get between 300 and 400 results. I'm running the below query using the Python SDK

searchquery_normal = "search error"
kwargs_normalsearch = {"exec_mode": "normal",
                       "earliest_time": "-24h",
                       "latest_time": "now",
                       "namespace": "search"}

job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)

Pulled the code straight from the Splunk examples here (http://dev.splunk.com/view/python-sdk/SP-CAAAEE5 under the "To create a normal search, poll for completion, and display results" section) I just changed the arguments. The query completes and the log information does not show any errors, but when I look at the results that is returned is:

<?xml version="1.0"?>
<results preview="0"/>

The sample code I'm using does have a process to wait for the job to complete. I've also created other versions of the query that point directly to the Splunk REST API but those return the same results as above. I have no clue what I need to look into next to try and solve this so any ideas are greatly appreciated!

0 Karma
1 Solution

Champion

Have you tried adding an explicit index= to your search? Are you authenticated via the API with the same credentials you use with the web UI?

View solution in original post

Champion

Have you tried adding an explicit index= to your search? Are you authenticated via the API with the same credentials you use with the web UI?

View solution in original post

New Member

I was authenticated to the API and UI with the same creds but I just added an explicit index to the search and I get results back! Thanks for the help!

0 Karma

Splunk Employee
Splunk Employee

@ntomczek - I just converted micahkemp's comment to an answer. Please "Accept" the answer to close out your question. Thanks!

0 Karma