Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a programmatic way of finding the sum of events returned from a search via REST API?

geordieguy
New Member
‎06-14-2016 06:04 PM

Hi Folks,

Just getting started trying to figure out the API. My mission which I have chosen to accept is to report on how many events are returned from a search, from yesterday, each morning at open of business. I have a search;

> <search>
>           <query>username@domain.com.au
> sourcetype="MSExchange:2010:MessageTracking"
> sender_username=username</query>
>           <earliest>-1d@d</earliest>
>           <latest>@d</latest> ...

Which is returning all the appropriate results, but is there a way to programatically grab the count of results via the API?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-14-2016 09:25 PM

Once the search runs you should be able to query the REST API to find the job and grab that information: http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTsearch#search.2Fjobs

In addition, you could also append "| stats count" to the end of your current query and that would return just a numerical value of a count of the events returned by your search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-14-2016 09:25 PM

Once the search runs you should be able to query the REST API to find the job and grab that information: http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTsearch#search.2Fjobs

In addition, you could also append "| stats count" to the end of your current query and that would return just a numerical value of a count of the events returned by your search.

0 Karma
Reply
Solved! Jump to solution

ryanoconnor
Builder
‎06-15-2016 06:10 AM

/search/jobs will give you information about all search jobs and you could filter from there.

You could also hit /search/jobs/{search_id}/timeline and you'll return a parameter for event count.

0 Karma
Reply
Solved! Jump to solution

geordieguy
New Member
‎06-14-2016 09:43 PM

Thanks, does that mean I should GET /search/jobs//eventCount ? or do I get /search/jobs/id and eventCount is an XML element in the response which I parse?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...