Splunk Search

"rf" search job parameter - not working

arkadyz1
Builder

I'm submitting a search through splunklib (PythonSDK). On the output side, I need some fields which are all either aliased or calculated ones. So I figured I'd supply the rf search parameter along with the rest of the needed stuff (like "search", "exec_mode", "earliest_time", "latest_time" etc.). I made sure I connected via client.connect with the app keyword set to the application where those field extractions and aliases are defined. In addition, I tried to specify namespace search parameter, again supplying the name of the application.

No luck - the results (extracted via ResultsReader) never contained any of those fields I specified in rf. I tried both comma-separated and whitespace-separated, quoted and unquoted list (like field1, field2, ..., "field1" "field2" ... etc.) to no avail.

Anything else that I'm missing?

Tags (2)
0 Karma
1 Solution

arkadyz1
Builder

Found an answer minutes after I posted the question.
rf is supposed to be a list. So the right way is 'rf': ['field1', 'field2', ... ] (in a kwargs dictionary) or rf=['field1', 'field2', ...] in the method call itself.

View solution in original post

0 Karma

arkadyz1
Builder

Found an answer minutes after I posted the question.
rf is supposed to be a list. So the right way is 'rf': ['field1', 'field2', ... ] (in a kwargs dictionary) or rf=['field1', 'field2', ...] in the method call itself.

0 Karma

srikspunk
New Member

Defaults fields like "source" ,"host" are also showing up in the response ; how can only the required fields be shown?

0 Karma

zhatsispgx
Path Finder

Hi can you share your code here? I'm running into the same issue but even when i add 'rf': ['field1', 'field2'] etc i do not see the results.

0 Karma

arkadyz1
Builder

Make sure you extract those fields first in the search string, with | fields ...

Another point to check: if the fields are not auto-extracted, and the extractions and transforms are in the apps props.conf/transforms.conf, make sure you run that search in that app's context.

For example (Python code):

kwargs_oneshot = {'earliest_time': earliest, 'latest_time': latest,'namespace': APP_NAME,'rf':['field1','field2']}

oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)

See that namespace keyword argument? It's important to have if you expect the props+transforms of your app to work.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...