Splunk Search

Why do I only get default indexed fields via REST or SDK call, but get more extracted fields in Splunk Web for the same search?

bwalden_splunk
Splunk Employee
Splunk Employee

This is related to http://answers.splunk.com/answers/136754/splunk-sdk-fields.html.

I've tried searching via the SDK and also direct to REST endpoints, but my results only return the default indexed fields. For instance:

curl -sku admin:changeme https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index=_internal | head"

returns these fields:

_bkt
_cd
_indextime
_raw
_serial
_si
_sourcetype
_subsecond
_time
host
index
linecount
source
sourcetype
splunk_server

But the same search index=_internal | head in the Splunk Web UI returns many more extracted fields.

It does not seem to matter if I use an export, oneshot, or "normal" search. Setting the namespace specifically does not seem to matter either.

Any insight appreciated.

bwalden_splunk
Splunk Employee
Splunk Employee

Returned to this issue today with a couple ideas, and one of them seems to work. By adding |fields * to the search expression, my SDK searches are now returning full verbose field extractions. Kinda un-intuitive. Gonna play with it some more but looks promising. I guess the idea is to specify the fields you want in the output using the |fields command.

bw

0 Karma

j9tech_reid
Engager

We tried that. Check the performance of your searches. If there's a lot of fields, it will be geometrically WORSE. At least it was in our case.

0 Karma

laserval
Communicator

What if you reference one of the fields you're expecting? Such as search index=_internal log_level=* | head. I know that saved searches have a behaviour where they will only run extractions on fields that are used in the search.

0 Karma

j9tech_reid
Engager

We have this same issue. Our product uses the Java SDK to execute a saved search. If we don't mention the name of the field in the search, then we get no data for that field despite it showing up in the Splunk UI. We tried doing things like "| field " at the end but that causes the performance to fall off a cliff. The only solution seems to be to put "field1= field2=*" etc at the end of the query, which of course means our customers MUST modify the saved searches they want to use with our product. This is a bit unfriendly.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...