Splunk Search

"rf" & "f" search job parameter is showing default fields also

srikspunk
New Member

I am trying to get the summary of the fields using search/jobs api from python program.

When using the curl command, I am able to get only the required fields specified (as below) but using Python program, I am getting required fields and also the default fields like "source","host"

How do I include only the required fields in the response?

Using CURL:

POST:

curl -k -u uid:pwd https://localhost:8089/services/search/jobs -d status_buckets=1 -d rf=ID1 -d rf=ID2 -d search="search source = "test.txt""

GET:

curl -k -u uid:pwd https://localhost:8089/services/search/jobs//summary --get -d f=ID1 -d f=ID2 

Using Python Program:

POST:

pdata = {'status_buckets':'1','rf':['ID1','ID2'],'search':source = "test.txt"}
resp = requests.post(url = API_EndPoint1, data = pdata)

GET:

gdata ={'f':['ID1','ID2']}
resp = requests.get(url = API_EndPoint2, data = gdata)

Thank you

Tags (4)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

You can achieve it like this.

For example I am running query index=_internal | stats count by host,sourcetype and I want sourcetype and count only then I'll write below code in Python

import requests
import json
uri = 'https:/</SPLUNK_SERVER:SPLUNK_MGMT_PORT>/services/search/jobs/<JOB_ID>/results'
params = {'output_mode': 'json', 'f': ['sourcetype', 'count']}
resp = requests.get(uri, auth=('admin', 'password'), params=params, verify=False)
r = json.loads(resp.content)
print json.dumps(r['results'])

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

You can achieve it like this.

For example I am running query index=_internal | stats count by host,sourcetype and I want sourcetype and count only then I'll write below code in Python

import requests
import json
uri = 'https:/</SPLUNK_SERVER:SPLUNK_MGMT_PORT>/services/search/jobs/<JOB_ID>/results'
params = {'output_mode': 'json', 'f': ['sourcetype', 'count']}
resp = requests.get(uri, auth=('admin', 'password'), params=params, verify=False)
r = json.loads(resp.content)
print json.dumps(r['results'])

View solution in original post

0 Karma

srikspunk
New Member

It is giving the required fields i.e sourcetype and count and also the default fields like source,host which i don't want

0 Karma

srikspunk
New Member

Thank you . I am able to get it with 'f' and 'params' in GET.
What if i want to remove all default fields and get all the remaining fields available? Is it possible without giving each field name explicitly ? Thanks again.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

I am not aware of any such parameter which ignore default fields like host,source,sourcetypes

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If possible then can you please share your script so that we can check (Mask any sensitive data if present in your script).

With above script I am getting correct data in my lab environment

>>> print json.dumps(r['results'])
[{"count": "25", "sourcetype": "scheduler"}, {"count": "25", "sourcetype": "splunk_archiver-2"}, {"count": "24", "sourcetype": "splunk_web_access"}, {"count": "6", "sourcetype": "splunk_web_service"}, {"count": "224826", "sourcetype": "splunkd"}, {"count": "712", "sourcetype": "splunkd_access"}, {"count": "1143", "sourcetype": "splunkd_ui_access"}]
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!