Splunk Search

"rf" search job parameter - not working

arkadyz1
Builder

I'm submitting a search through splunklib (PythonSDK). On the output side, I need some fields which are all either aliased or calculated ones. So I figured I'd supply the rf search parameter along with the rest of the needed stuff (like "search", "exec_mode", "earliest_time", "latest_time" etc.). I made sure I connected via client.connect with the app keyword set to the application where those field extractions and aliases are defined. In addition, I tried to specify namespace search parameter, again supplying the name of the application.

No luck - the results (extracted via ResultsReader) never contained any of those fields I specified in rf. I tried both comma-separated and whitespace-separated, quoted and unquoted list (like field1, field2, ..., "field1" "field2" ... etc.) to no avail.

Anything else that I'm missing?

Tags (2)
0 Karma
1 Solution

arkadyz1
Builder

Found an answer minutes after I posted the question.
rf is supposed to be a list. So the right way is 'rf': ['field1', 'field2', ... ] (in a kwargs dictionary) or rf=['field1', 'field2', ...] in the method call itself.

View solution in original post

0 Karma

arkadyz1
Builder

Found an answer minutes after I posted the question.
rf is supposed to be a list. So the right way is 'rf': ['field1', 'field2', ... ] (in a kwargs dictionary) or rf=['field1', 'field2', ...] in the method call itself.

0 Karma

srikspunk
New Member

Defaults fields like "source" ,"host" are also showing up in the response ; how can only the required fields be shown?

0 Karma

zhatsispgx
Path Finder

Hi can you share your code here? I'm running into the same issue but even when i add 'rf': ['field1', 'field2'] etc i do not see the results.

0 Karma

arkadyz1
Builder

Make sure you extract those fields first in the search string, with | fields ...

Another point to check: if the fields are not auto-extracted, and the extractions and transforms are in the apps props.conf/transforms.conf, make sure you run that search in that app's context.

For example (Python code):

kwargs_oneshot = {'earliest_time': earliest, 'latest_time': latest,'namespace': APP_NAME,'rf':['field1','field2']}

oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)

See that namespace keyword argument? It's important to have if you expect the props+transforms of your app to work.

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...