Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a programmatic way of finding the sum of events returned from a search via REST API?

geordieguy
New Member
‎06-14-2016 06:04 PM

Hi Folks,

Just getting started trying to figure out the API. My mission which I have chosen to accept is to report on how many events are returned from a search, from yesterday, each morning at open of business. I have a search;

> <search>
>           <query>username@domain.com.au
> sourcetype="MSExchange:2010:MessageTracking"
> sender_username=username</query>
>           <earliest>-1d@d</earliest>
>           <latest>@d</latest> ...

Which is returning all the appropriate results, but is there a way to programatically grab the count of results via the API?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-14-2016 09:25 PM

Once the search runs you should be able to query the REST API to find the job and grab that information: http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTsearch#search.2Fjobs

In addition, you could also append "| stats count" to the end of your current query and that would return just a numerical value of a count of the events returned by your search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-14-2016 09:25 PM

Once the search runs you should be able to query the REST API to find the job and grab that information: http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTsearch#search.2Fjobs

In addition, you could also append "| stats count" to the end of your current query and that would return just a numerical value of a count of the events returned by your search.

0 Karma
Reply
Solved! Jump to solution

ryanoconnor
Builder
‎06-15-2016 06:10 AM

/search/jobs will give you information about all search jobs and you could filter from there.

You could also hit /search/jobs/{search_id}/timeline and you'll return a parameter for event count.

0 Karma
Reply
Solved! Jump to solution

geordieguy
New Member
‎06-14-2016 09:43 PM

Thanks, does that mean I should GET /search/jobs//eventCount ? or do I get /search/jobs/id and eventCount is an XML element in the response which I parse?

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...