Splunk Search

Why does stats via python SDK export returns multiple sets of results?

alancalvitti
Path Finder

I get a different result set when using jobs.export of python SDK with a simple stats query compared to the same query (and time range) on the splunk UI. 

the jobs.export returns a list of results of the following form, so there is a repeating pattern with several sets of "lastrow":true  and repeating "offset" almost as if partial results are included several times. 

Only the last set matches the final results of the query on the UI. 

Schematically the results of this call:

jobs.export("search my_id | stats count by index").read().decode('utf8').split('\n')

have this form

['{"preview":true, "offset":0, "result": {"index": "index_a", "count":"2"}}',

'{"preview":true, "offset":1, "result": {"index": "index_b", "count":"4"}}',

'{"preview":true, "offset":2, "lastrow":true, "result": {"index": "index_b", "count":"4"}}',

'{"preview":true, "offset":0, "result": {"index": "index_a", "count":"6"}}',

'{"preview":true, "offset":1, "result": {"index": "index_b", "count":"12"}}',

'{"preview":true, "offset":2, "lastrow":true, "result": {"index": "index_b", "count":"50"}}',

'{"preview":true, "offset":0, "result": {"index": "index_a", "count":"18"}}',

'{"preview":true, "offset":1, "result": {"index": "index_b", "count":"102"}}',

'{"preview":true, "offset":2, "lastrow":true, "result": {"index": "index_b", "count":"499"}}',

'{"preview":true, "offset":0, "result": {"index": "index_a", "count":"18"}}',

'{"preview":true, "offset":1, "result": {"index": "index_b", "count":"102"}}',

'{"preview":true, "offset":2, "lastrow":true, "result": {"index": "index_b", "count":"499"}}',

]

the last couple of segments ending with "lastrow":true share the same count that matches that in the UI.  

Is there some flag we need to insert in kwargs? currently using only earliest_time, latest_time, count:0 and sample_ratio:1

Labels (2)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...