Splunk Search

"rf" search job parameter - not working

arkadyz1
Builder

I'm submitting a search through splunklib (PythonSDK). On the output side, I need some fields which are all either aliased or calculated ones. So I figured I'd supply the rf search parameter along with the rest of the needed stuff (like "search", "exec_mode", "earliest_time", "latest_time" etc.). I made sure I connected via client.connect with the app keyword set to the application where those field extractions and aliases are defined. In addition, I tried to specify namespace search parameter, again supplying the name of the application.

No luck - the results (extracted via ResultsReader) never contained any of those fields I specified in rf. I tried both comma-separated and whitespace-separated, quoted and unquoted list (like field1, field2, ..., "field1" "field2" ... etc.) to no avail.

Anything else that I'm missing?

Tags (2)
0 Karma
1 Solution

arkadyz1
Builder

Found an answer minutes after I posted the question.
rf is supposed to be a list. So the right way is 'rf': ['field1', 'field2', ... ] (in a kwargs dictionary) or rf=['field1', 'field2', ...] in the method call itself.

View solution in original post

0 Karma

arkadyz1
Builder

Found an answer minutes after I posted the question.
rf is supposed to be a list. So the right way is 'rf': ['field1', 'field2', ... ] (in a kwargs dictionary) or rf=['field1', 'field2', ...] in the method call itself.

0 Karma

srikspunk
New Member

Defaults fields like "source" ,"host" are also showing up in the response ; how can only the required fields be shown?

0 Karma

zhatsispgx
Path Finder

Hi can you share your code here? I'm running into the same issue but even when i add 'rf': ['field1', 'field2'] etc i do not see the results.

0 Karma

arkadyz1
Builder

Make sure you extract those fields first in the search string, with | fields ...

Another point to check: if the fields are not auto-extracted, and the extractions and transforms are in the apps props.conf/transforms.conf, make sure you run that search in that app's context.

For example (Python code):

kwargs_oneshot = {'earliest_time': earliest, 'latest_time': latest,'namespace': APP_NAME,'rf':['field1','field2']}

oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)

See that namespace keyword argument? It's important to have if you expect the props+transforms of your app to work.

0 Karma
Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...