Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk SDK fields

ifeldshteyn
Communicator
‎05-20-2014 09:20 AM

It seems like when one queries splunk the results you get are only the default indexed fields like source or sourcetype. We do not receive any extracted results that are present in Splunk web GUI.

If there is custom field extraction called bucket_id ...

Example: sourcetype=parent bucket_id=4 will return 8 results via web GUI but none via Splunk SDK search.

If there is no custom field extraction...

Example 2: sourcetype=parent will return 42 results via web GUI and Splunk SDK will return the same 42 results.

Am I doing something wrong or does this mean I have to do custom field extraction via Splunk SDK and not via Splunk?

UPDATE:

If I grab the field extraction definition and place it directly into the search using rex then the results are found in Splunk SDK.

Example 3: sourcetype=parent | rex field=_raw ".*bucket_id=(?P\w+)" | fields bucket_id shows up just fine in Splunk SDK.

This seems rather silly. What is the point of defining extractions within splunk if they are not used while performing non-gui searches? Please tell me I am missing something.

Thanks

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-20-2014 10:48 AM

Are you running the SDK search from the same namespace as the field extraction?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-20-2014 01:21 PM

Sounds plausible - additionally, look into whether you can run searches in a specific app namespace from the SDK.

In case of the Java SDK, this is what you need: http://docs.splunk.com/DocumentationStatic/JavaSDK/1.3/com/splunk/JobArgs.html#setNamespace%28java.l...

0 Karma
Reply

ifeldshteyn
Communicator
‎05-20-2014 12:39 PM

Looks like this was a permission error. It was app-specific extraction and by changing perm to global read splunk SDK is able to see the extractions.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...