There is something strange that i can see the correct results of field extraction from manually search but when it sent to scheduled-search, the completed result i saw in search job is not all fields can be shown out even if i select all the fields. The raw data is like field1=value1 field2=value2 ... , and when i add | fields * at the end, it just only displayed.
And when I trigger it to script alert, I can use python script to extract the some fields i want but others can't.
for row in csv.DictReader(openany(results_file)):
if i change field "msg" to "_time" or "user", it can be executed correctly, but when set to field "msg" or "_raw", it can't (here the msg is the string strcat from other fields ). so i wanna know where are the search results stored?? ($SPLUNK_HOME/var/run/splunk/dispatch) ?? i wanna check the fields whether splunk extracted correctly and does anyone have good suggestion to debug this?
... View more