Issue : We don't see run async query using Ruby SDK against a Splunk 6.4 search head cluster via a BIG-IP load balancer.
Here is the sample Code.
require 'splunk-sdk-ruby'
# How to get to the Splunk server. Edit this to match your
# own Splunk install.
config = {
:scheme => :https,
:host => "localtest.com",
:port => 8089,
:username => "splunk.sensu",
:password => "redacted"
}
# First open a connection to Splunk.
service = Splunk::connect(config)
# For longer running jobs, you don't want to wait until the job finishes, as
# create_oneshot in 3_blocking_searches.rb does. In this case, use the
# create_search method of Service. Instead of returning a stream, it creates
# an asynchronous job on the server and returns a Job object referencing it.
job = service.create_search("search index=_internal | head 1",
:earliest_time => "-1d",
:latest_time => "now")
# Before you can do anything with a Job, you must wait for it to be ready.
# Before it is, you cannot do anything with it, even read its state.
while !job.is_ready?()
sleep(0.1)
end
# More typically you will want to wait until the job is done and its events
# ready to retrieve. For that, use the is_done? method instead. Note that a
# job is always ready before it's done.
while !job.is_done?()
sleep(0.1)
end
# If you want the transformed results (equivalent to what create_oneshot would
# return), call the results method on the Job. If you want the untransformed
# results, call events. You can optionally pass an offset and total count,
# which are useful to get hunks of large sets of results.
stream = job.results(:count => 1, :offset => 0)
# Or: stream = job.events(:count => 3, :offset => 0)
results = Splunk::ResultsReader.new(stream)
results.each do |result|
puts result["_raw"]
end
# If you want to run a real time search, it must be asynchronous, and it is
# never done, so neither results or events will work. Instead, you must call
# preview (which takes the same arguments as the other two).
rt_job = service.create_search("search index=_internal | head 1",
:earliest_time => "rt-1h",
:latest_time => "rt")
while !rt_job.is_ready?()
sleep(0.1)
end
stream = rt_job.preview()
results = Splunk::ResultsReader.new(stream)
results.each do |result|
puts result["_raw"]
end
Currently, Splunk does not have necessary support for cookie authentication to the Ruby SDK. You can use Basic Authentication to do it, here is an example:
https://github.com/splunk/splunk-sdk-ruby/blob/master/examples/connect_load_balanced_search_heads.rb
Currently, Splunk does not have necessary support for cookie authentication to the Ruby SDK. You can use Basic Authentication to do it, here is an example:
https://github.com/splunk/splunk-sdk-ruby/blob/master/examples/connect_load_balanced_search_heads.rb