Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk SDK fields

ifeldshteyn
Communicator
‎05-20-2014 09:20 AM

It seems like when one queries splunk the results you get are only the default indexed fields like source or sourcetype. We do not receive any extracted results that are present in Splunk web GUI.

If there is custom field extraction called bucket_id ...

Example: sourcetype=parent bucket_id=4 will return 8 results via web GUI but none via Splunk SDK search.

If there is no custom field extraction...

Example 2: sourcetype=parent will return 42 results via web GUI and Splunk SDK will return the same 42 results.

Am I doing something wrong or does this mean I have to do custom field extraction via Splunk SDK and not via Splunk?

UPDATE:

If I grab the field extraction definition and place it directly into the search using rex then the results are found in Splunk SDK.

Example 3: sourcetype=parent | rex field=_raw ".*bucket_id=(?P\w+)" | fields bucket_id shows up just fine in Splunk SDK.

This seems rather silly. What is the point of defining extractions within splunk if they are not used while performing non-gui searches? Please tell me I am missing something.

Thanks

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-20-2014 10:48 AM

Are you running the SDK search from the same namespace as the field extraction?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-20-2014 01:21 PM

Sounds plausible - additionally, look into whether you can run searches in a specific app namespace from the SDK.

In case of the Java SDK, this is what you need: http://docs.splunk.com/DocumentationStatic/JavaSDK/1.3/com/splunk/JobArgs.html#setNamespace%28java.l...

0 Karma
Reply

ifeldshteyn
Communicator
‎05-20-2014 12:39 PM

Looks like this was a permission error. It was app-specific extraction and by changing perm to global read splunk SDK is able to see the extractions.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...