I have some source named "source1" with field named "field1". This field is not present in all events (field is filled only in 3 percent of events). So, I try to get events with this field using Splunk Python SDK using simple construction from documentation.
search_text = "source=source1 field1=* earliest=-1d@d latest=@d"
job = jobs.create(search_text)
while True:
while not job.is_ready():
pass
stats = {"isDone": job["isDone"],
"doneProgress": float(job["doneProgress"])*100,
"scanCount": int(job["scanCount"]),
"eventCount": int(job["eventCount"]),
"resultCount": int(job["resultCount"])}
status = ("\r%(doneProgress)03.1f%% %(scanCount)d scanned "
"%(eventCount)d matched %(resultCount)d results") % stats
sys.stdout.write(status)
sys.stdout.flush()
if stats["isDone"] == "1":
sys.stdout.write("\n\nDone!\n\n")
break
sleep(2)
But this search, run using Splunk Python SDK, return me 0 results. If I run this search in Splunk, I get right results - events with filled "field1". So, as I understand this situation, search in Splunk Python SDK doesn't see "field1" in my source.
How can I run search with Spunk Python SDK that see all fields in my source?
P.S. For example - if I run "search source=source1 earliest=-1d@d latest=@d | fieldsummary" in Splunk, I get information about 84 fields, in Splunk Python SDK - 81 fields
... View more