I Have Two Queries That Both Work In Splunk Web Ui
This Query Works In Web UI BUT NOT In Api
I Probaly Have A Syntax Problem
Can I Get Some Help
var query = "search index=main sourcetype=dg_dlp host=G2UA7301XP2E earliest=\"12/5/2017:00:00:00\" latest=\"12/5/2017:23:59:00\" Operation=12 User_Name=\"logon\\212000846\"";
static async Task Run(Service service)
{
try
{
// Login
await service.LogOnAsync("admin", "changeme");
// This One Returns Data In Web UI and Data In API
//var query = "search index=_internal | head 5";
// This One Returns Data In Web UI and NO Data IN API -- Must Be A Syntax Problem
var query = "search index=main sourcetype=dg_dlp host=G2UA7301XP2E earliest=\"12/5/2017:00:00:00\" latest=\"12/5/2017:23:59:00\" Operation=12 User_Name=\"logon\\212000846\"";
var args = new JobArgs
{
// For a full list of options, see:
//
// http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#POST_search.2Fjobs
//EarliestTime = "-1w",
//LatestTime = "now"
};
using (SearchResultStream resultStream = await service.SearchOneShotAsync(query, args: args))
{
foreach (SearchResult result in resultStream)
{
Console.WriteLine(result);
}
}
}
catch (Exception ex)
{
string strError = "";
strError = ex.Message;
}
}
Hi Charles,
After creating the job with the API, you can go find it in the job activity to see if it ran as you expected.
I would suggest you have a look at the User_Name field.
Because of escaping you may be loosing a "\" in the User_Name you are looking for, therefore getting no results!