How do I get the full content of a Splunk search result when using the Python SDK?

Question

I can get the results from a one_shot query, but I can't get the full content of the _raw field.

import splunklib.client as client
import splunklib.results as results

def splunk_oneshot(search_string, **CARGS):
    # Run a oneshot search and display the results using the results reader

    service = client.connect(**CARGS)
    oneshotsearch_results = service.jobs.oneshot(search_string)

    # Get the results and display them using the ResultsReader
    reader = results.ResultsReader(oneshotsearch_results)
    for item in reader:
        for key in item.keys():
            print(key, len(item[key]), item[key])

This gives me the following for _raw:

('_raw', 120, '2013-05-03 22:17:18,497+0000 [SWF Activity  attNsgActivitiesTaskList1 19] INFO  c.s.r.h.s.a.n.AttNsgSmsRequestAdapter - ')

So this content is truncated at 120 characters. I need the entire value of the search result, because I need to run some string comparisons thereupon. I have not found any documentation on the ResultsReader fields or their size restrictions.

Answer 1

My best guess is that is caused by the insertion of special tags in the event raw data to highlight matched search terms in the Splunk UI front-end. In all likelihood, your search string specifies a matching literal term present in the raw data right at the point of truncation. This is not an appropriate default behavior for the SDK result-fetching method and there is currently a bug opened to fix this (internal reference DVPL-1519).

Fortunately, avoiding this problem is fairly trivial: One simply needs to pass segmentation='none' as an argument to the job.results() method:

(...)
oneshotsearch_results = service.jobs.oneshot(search_string,segmentation='none')
(...)

Do note that the 'segmentation' argument for the service.jobs() method is only available on Splunk 5.0 and onwards.