We have a kludgy access log format. It certainly isn’t standard. At any rate, the out of the box transforms.conf can’t handle it. Rather than change that, I elected to split the lines on the fly; not as fast, but it’s an option. This splits the line, delimited by tab, into an array that is then filtered only on an HTTP response code of 404.
import splunklib.client as client import splunklib.results as results service = client.connect(host="*******",port="8089",username="*****",password="******") rr = results.ResultsReader(service.jobs.oneshot(""" search host=\"cmhlpecomweb*\" sourcetype=access_combined | fields _raw | eval temp=split(_raw,\"\t\") | eval response_code=mvindex(temp,7) | where response_code = 404 """, **{"earliest_time":"2017-04-16T03:18:00.000-04:00", "latest_time":"2017-04-16T03:22:00.000-04:00", "count": 0})) for result in rr: print result['_raw']