If you remove

| search httpcode=500

 from the python, does it return all the data as expected from the parent index?

yes. correct. if i remove | search httpcode = 500, i can get the results

@dataisbeautiful  do you have any solution for this issue?

If the search without the filter returns all the data, then the filter is removing too much.

When running in the Python are the data types being changed? In Splunk the httpcode might be an integer but Python sees it as a string?

Can you validate the data from the Python to confirm the value of httpcode is what you're expecting?

@dataisbeautiful Tried to use the below query also but no luck.

 searchquery_blocking = '''search index=sample source="*sample*" AND host="v*lu*" OR host="s*mple*" | search httpcode="500" '''

still not getting any results. Its strange. I have been stuck on this for three days. 

@BalajiRaju 

When wrapping your query in quotes, do you escape the ones contained inside?

For example

query=" index=\"name\" "

@dataisbeautifulThis is not needed. The string is defined with triple single quotes as long string and therefore double quotes do not need to be escaped.

@BalajiRaju  If your base search returns values and your filtering part causes it to not return any events at all, that would mean that you're filtering it wrong. There can be several reasons, most obvious would be that the httpcode field isn't properly extracted from the events (or simply your data doesn't have any 500 results).

Do you have any webui access or is REST the only way you're accessing your Splunk installation?

@PickleRick Yes. I have web UI access also. When I search the query in Web splunk,  I get the results. the same query when i execute it in splunk rest api via python script, not getting any results. I dont know why. 

That is interesting. Are you using the same user to search from WebUI as you're using for API access?

If not, that could mean some differences in permissions to knowledge objects - in your case - field extractions.

@PickleRick Yes. I'm using the same user with both Web UI and Rest API access. 

@PickleRick  @dataisbeautiful  Finally find the reason. unable to use the fields from splunk rest api. thats why we couldnt get the results. I will use the _raw data to find out the 500 http code and get the results. Thanks for your reply. 

Yeah but the question is why you don't see the fields when spawning the search from the REST api. That's unexpected. If you're using the same user, which should obviously have the same permissions for knowledge objects, you should be getting the same behaviour.

Just to be on the safe side - your WebUI SH is the same you're spawning your REST API search against?

Not seeing the fields will stop your filter from working, but why is the question.