Hi Everyone, I`m running a query via the Splunk REST API (using Python), and need to filter events based on the following requirements: - Always include events where TITLE is one of: A, B, C, D, E...
See more...
Hi Everyone, I`m running a query via the Splunk REST API (using Python), and need to filter events based on the following requirements: - Always include events where TITLE is one of: A, B, C, D, E - Only include events where TITLE=F and FROM=1 OR TITLE=G and FROM=2 This works fine in Splunk Web, but when sent via the REST API the conditional clause for TITLEs F and G don`t get applied correctly Works via Splunk WEB and REST (without filtering based on FROM) index=my_index System="MySystem*" Title=A OR Title=B OR Title=C OR Title=D OR Title=E OR Title=F OR Title=G Works on WEB, not via REST (filtering based on FROM) index=my_index System="MySystem*" Title=A OR Title=B OR Title=C OR Title=D OR Title=E OR (Title=F and FROM=1) OR (Title=G AND FROM=2) I`ve tried to apply the filtering downstream, but the issue persists. I’m unable to query a saved search because some fields are extracted at search time and aren’t available when accessed via the REST API. As a result, I need to extract those fields directly within the query itself when using the REST API. (Note: the TITLE field is being extracted correctly.) Many thanks.