Some More Details:
When I am outputting the search from Splunk UI I am getting following fields:
_raw,_time,
app,appId,
correlationId,
eventtype,
host,
index,
items.
access_type,
items.article_id,
items.data.fed_id,
items.eventType,
items.fed_id,
items.institution_id,
items.journal_id,
items.logLevel,
items.referer_url,
items.request_date,
items.request_method,
items.resource_type,
items.session_id,
items.status_code,
items.time,
items.url,
items.userIp,
items.user_agent,
items.user_id,
items.user_name,
level,
linecount,
message,
product,
punct,
source,
sourcetype,
splunk_server,
splunk_server_group,
tag,tag::eventtype,vendor
What I am getting output of Splunk API the structure includes only a subset of fields which is:
_serial
_time
source
sourcetype
host
index
splunk_server
_raw
I would greatly appreciate how to mimic the Splunk UI output with Splunk API. Your help would be greatly appreciated.
... View more