Running Mapped Subsearches Without Limits In Splunk

If you’re running saved searches in Splunk as subsearches inside of the map command, they are bound by the subsearch limitation. This is an alternative command that doesn’t have this limitation as it starts a new job for each subsearch. To use it, instead of calling: | makeresults | map test You’re using: | makeresults | mapsearch search=test Missing the full flexibility of map, the command also passes each event’s values as input parameters to each called saved search....

March 27, 2022 · 1 min · Marcus Schiesser

Enforce arrays for multi-values in Splunk searches

The Splunk SDK for Python is returning for multi-values that only have one entry a string instead of an array. To enforce arrays, you can do the following workaround:

December 20, 2021 · 1 min · admin

More than 100 results using the search-job API in Splunk

If you’re using the @splunk/search-job API and want to return more than the 100 results (the default value), you’ll have to pass count to the getResults function, e.g.: new SearchJob.create({ search: myQuery, }).getResults({ count: 500 });

December 14, 2021 · 1 min · admin

Mapping types using the Splunk search-job API

In case you’re using the @splunk/search-job API you might find it annoying that the properties of the returned objects are all of type string. To fix this, I wrote a little type mapper (The unit test shows how to use it):

December 9, 2021 · 1 min · admin

Connect a datasource to a Splunk visualization

How to programmatically connect a search datasource to a Splunk visualization (without using the dashboard):

November 24, 2021 · 1 min · admin