I am new to Splunk's SDK and REST API. I'm trying to match a simple query I'm running via the UI (The App is "Search", the query is simply "error", and the duration is "Last 24 hours"). When I run the query I typically get between 300 and 400 results. I'm running the below query using the Python SDK
searchquery_normal = "search error"
kwargs_normalsearch = {"exec_mode": "normal",
"earliest_time": "-24h",
"latest_time": "now",
"namespace": "search"}
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
Pulled the code straight from the Splunk examples here (http://dev.splunk.com/view/python-sdk/SP-CAAAEE5 under the "To create a normal search, poll for completion, and display results" section) I just changed the arguments. The query completes and the log information does not show any errors, but when I look at the results that is returned is:
<?xml version="1.0"?>
<results preview="0"/>
The sample code I'm using does have a process to wait for the job to complete. I've also created other versions of the query that point directly to the Splunk REST API but those return the same results as above. I have no clue what I need to look into next to try and solve this so any ideas are greatly appreciated!
... View more