Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a programmatic way of finding the sum of events returned from a search via REST API?

geordieguy
New Member
‎06-14-2016 06:04 PM

Hi Folks,

Just getting started trying to figure out the API. My mission which I have chosen to accept is to report on how many events are returned from a search, from yesterday, each morning at open of business. I have a search;

> <search>
>           <query>username@domain.com.au
> sourcetype="MSExchange:2010:MessageTracking"
> sender_username=username</query>
>           <earliest>-1d@d</earliest>
>           <latest>@d</latest> ...

Which is returning all the appropriate results, but is there a way to programatically grab the count of results via the API?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-14-2016 09:25 PM

Once the search runs you should be able to query the REST API to find the job and grab that information: http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTsearch#search.2Fjobs

In addition, you could also append "| stats count" to the end of your current query and that would return just a numerical value of a count of the events returned by your search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-14-2016 09:25 PM

Once the search runs you should be able to query the REST API to find the job and grab that information: http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTsearch#search.2Fjobs

In addition, you could also append "| stats count" to the end of your current query and that would return just a numerical value of a count of the events returned by your search.

0 Karma
Reply
Solved! Jump to solution

ryanoconnor
Builder
‎06-15-2016 06:10 AM

/search/jobs will give you information about all search jobs and you could filter from there.

You could also hit /search/jobs/{search_id}/timeline and you'll return a parameter for event count.

0 Karma
Reply
Solved! Jump to solution

geordieguy
New Member
‎06-14-2016 09:43 PM

Thanks, does that mean I should GET /search/jobs//eventCount ? or do I get /search/jobs/id and eventCount is an XML element in the response which I parse?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...