|
I retrieved the results from the search/jobs/{search_id}/results REST endpoint. When i retrieved the results as an XML by default i saw some field values in the field xml tags with the field names of attribute k such as cd_ , si_, serial, indextime etc. retrieved when i dont see these fields appear on the fields column of the search app. What are those fields? Can i set the values for such fields whenever i want to send these field value pair to Splunk via the receiver REST endpoint. |
Refine your search:
- Apps & Questions
- Apps
- Questions
- Users
- Tags
Markdown Basics
- *italic* or _italic_
- **bold** or __bold__
- link:[text](http://url.com/ "Title")
- image?
- numbered list: 1. Foo 2. Bar
- to add a line break simply add two spaces to where you would like the new line to be.
- basic HTML tags are also supported
Tags:
Asked: 27 Mar '12, 19:19
Seen: 328 times
Last updated: 28 Mar '12, 00:40
WHY would you want to do this? Tell us!
Is it true that it is not a practice to change such fields like _cd, _si, _serial, indextime from the results retrieved in xml? I wanted to do this so when i retrieve the results i would see the values for such fields being added.
I don't understand - you want to CHANGE these values so that you can SEE them? Please explain more clearly.
Yes. That means so when i retrieve the results resulting from the search i would see the values for such fields being added.
Added? They're already returned in the result set as you point out yourself.