Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a programmatic way of finding the sum of events returned from a search via REST API?

geordieguy
New Member
‎06-14-2016 06:04 PM

Hi Folks,

Just getting started trying to figure out the API. My mission which I have chosen to accept is to report on how many events are returned from a search, from yesterday, each morning at open of business. I have a search;

> <search>
>           <query>username@domain.com.au
> sourcetype="MSExchange:2010:MessageTracking"
> sender_username=username</query>
>           <earliest>-1d@d</earliest>
>           <latest>@d</latest> ...

Which is returning all the appropriate results, but is there a way to programatically grab the count of results via the API?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-14-2016 09:25 PM

Once the search runs you should be able to query the REST API to find the job and grab that information: http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTsearch#search.2Fjobs

In addition, you could also append "| stats count" to the end of your current query and that would return just a numerical value of a count of the events returned by your search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-14-2016 09:25 PM

Once the search runs you should be able to query the REST API to find the job and grab that information: http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTsearch#search.2Fjobs

In addition, you could also append "| stats count" to the end of your current query and that would return just a numerical value of a count of the events returned by your search.

0 Karma
Reply
Solved! Jump to solution

ryanoconnor
Builder
‎06-15-2016 06:10 AM

/search/jobs will give you information about all search jobs and you could filter from there.

You could also hit /search/jobs/{search_id}/timeline and you'll return a parameter for event count.

0 Karma
Reply
Solved! Jump to solution

geordieguy
New Member
‎06-14-2016 09:43 PM

Thanks, does that mean I should GET /search/jobs//eventCount ? or do I get /search/jobs/id and eventCount is an XML element in the response which I parse?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...