Hi.
I am trying to run a search from a Splunk API in java, store the results with fields host, sourcetype, source in the JobResultsArgs and stored in an input stream. Now I want to run through each result and retrieve the host and source.
public void search(String query,String startDate, String endDate){
String url = System.getProperty("SPLUNK.HOST");
int port = Integer.getInteger("SPLUNK.PORT");
String username = System.getProperty("SPLUNK.USERNAME");
String password = System.getProperty("SPLUNK.PASSWORD");
String searchQuery_normal = "search * | head 100";
Service client = new Service(url.trim(), port);
client.login(username, password);
JobArgs jobArgs = new JobArgs();
jobArgs.setEarliestTime(startDate);
jobArgs.setLatestTime(endDate);
Job job = client.getJobs().create(searchQuery_normal,jobArgs);
while (!job.isDone()) {
try {
Thread.sleep(500);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
JobResultsArgs jobRes = new JobResultsArgs();
String[] fields = {"_raw" , "host", "sourcetype", "source"};
jobRes.setFieldList(fields);
jobRes.setCount(2500);
InputStream inpStream = job.getResults(jobRes);
System.out.println("result size: " + job.getResultCount());
for (int i = 0; i < job.getResultCount(); i++){
Here I want to get the host and source. I am stuck here.
Can you please help me, how I can proceed. I know I can use the RessultReadonJson but not sure how to retrieve those elements.
Is there an example of this kind?
Try this code:
InputStream inpStream = job.getResults(jobRes);
System.out.println("result size: " + job.getResultCount());
ResultsReaderXml resultsReader = new ResultsReaderXml(inpStream);
Event event = null;
while ((event = resultsReader.getNextEvent()) != null) {
System.out.println("_raw:" + event.get("_raw"));
System.out.println("host:" + event.get("host"));
System.out.println("sourcetype:" + event.get("sourcetype"));
System.out.println("source:" + event.get("source"));
}
Similarly you can use ResultsReaderJson as well.
You can also refer to sample code in the How-To section of our Java SDK.
You may be passing invalid arguments during creation. Keep in mind that the list of arguments are different for creation vs. getting results. Please review the documentation for How to run searches.
Yeah, absolutely. Just make sure to put the search
keyword before the search criteria. Good luck.
@kalyani1184 -> could you please help me in export the search results in splunk java sdk.
Instead of giving the search string directly as "search java.sql.SQLException: Closed Connection" can we store that in a variable and use it as we are passing that string from another method.
Thanks a lot. Its working
Try this - searchQuery = "search java.sql.SQLException: Closed Connection";
"" + \"java.sql.SQLException: Closed Connection\"
This is the query i am passing with escape character for the quotes in the string
Can you tell me what value are you passing for searchQuery variable?
When i tried like that it is showing an error :
HTTP 400 -- Error in 'SearchParser': Missing a search command before '"'.
Yes, you can.
This is the way i am passing the time strings but i need to pass a query which is a string I stored in a variable. I want to pass that string. Instead of
Job job = service.getJobs().create("search index=_internal", jobArgs); can i use
Job job = service.getJobs().create(searchQuery, jobArgs);
where searchQuery has the string i am search for.
You may not be passing the values in the right format. Here is a way to pass time strings and you can also pass in relative time like "-20m@m". Please go through the documentation to learn more about job arguments.
JobArgs jobArgs = new JobArgs();
jobArgs.setEarliestTime("2013-03-26T00:00:00.000-07:00");
Job job = service.getJobs().create("search index=_internal", jobArgs);
while (!job.isDone()) {
Thread.sleep(500);
}
System.out.println(job.getResultCount());
I want to search for a query with in the starttime and endTime. So i am taking jobargs.setEarliestTime(startTime) and jobargs.setLatestTime(endTime) and sending these arguments alsong with creting a seatch job.
Try this code:
InputStream inpStream = job.getResults(jobRes);
System.out.println("result size: " + job.getResultCount());
ResultsReaderXml resultsReader = new ResultsReaderXml(inpStream);
Event event = null;
while ((event = resultsReader.getNextEvent()) != null) {
System.out.println("_raw:" + event.get("_raw"));
System.out.println("host:" + event.get("host"));
System.out.println("sourcetype:" + event.get("sourcetype"));
System.out.println("source:" + event.get("source"));
}
Similarly you can use ResultsReaderJson as well.
You can also refer to sample code in the How-To section of our Java SDK.
Can we give
Job job = client.getJobs().create(searchQuery,jobArgs);
without giving the "...|head 100". I was thrown an error when i tried to give just the search query,start time and end time arguments.
getResultsCount is the total count of results returned by the job. Keep in mind that this is different from getEventCount. You can read more here.
Btw, I think the reason you are getting 100 is because of your you have " ... | head 100" in your search query.
System.out.println("result size: " + job.getResultCount());
Does this statement gives the number of times the search query was found or 100 as initializes in the searchQuery_normal becausde i am getting 100 everytime.
Thank You for the quick response.