Hello,
I'm new with Java SDK and this is what I don't understand in my use of it so far :
Question 1:
I am using the search command with this search string :
String query = "search index=_internal | head 2";
I get the following results :
EVENT:********
_bkt --> _internal~12~73571641-98D7-4A7F-BXXXXXXXX
_cd --> 12:738551
_serial --> 0
_raw --> XXX.XXX.XXX.X - admin [21/Aug/2018:16:46:59.961 +0200] "GET /XXX/XXX/XXXX HTTP/1.1" 200 4930 - - - 1ms
splunk_server --> XXX-XXX
index --> _internal
source --> C:\Program Files\Splunk\XXXXXX\splunkd_access.log
_indextime --> 15345510
_subsecond --> .961
linecount --> 1
_si --> XXX-XXX,_internal
host --> XXX-XXX
_sourcetype --> splunkd_access
sourcetype --> splunkd_access
_time --> 2018-08-21T16:46:59.961+02:00
EVENT:********
_bkt --> _internal~12~73571641-98D7-4A7F-B8A6-BXXXXXXXX
_cd --> 12:7389098
_serial --> 1
_raw --> 185.162.209.1 - admin [21/Aug/2018:16:46:59.705 +0200] "POST /XXX/XXX/XXXHTTP/1.1" 200 170 - - - 10ms
splunk_server --> XXX-XXX
index --> _internal
source --> C:\Program Files\Splunk\XXX\splunkd_access.log
_indextime --> 1534865515
_subsecond --> .705
linecount --> 1
_si --> XXX-XXX,_internal
host --> XXX-XXX
_sourcetype --> splunkd_access
sourcetype --> splunkd_access
_time --> 2018-08-21T16:46:59.705+02:00
Can you tell me why this search string :
String query = "search index=_internal _serial=0 | head 2 ";
does not return anything ? Because I expected to retrieve the first EVENT
Question 2:
Does the search string always have to mention an index name ? Because I thought searching by keyword would work with the Java SDK and it is not (for example : "search _serial=0" returns nothing).
In general, how different are the syntax that we use in the GUI version and the command lines ? Are the boolean operators accepted in command lines for example ?
My main goal is allowing the user to use my app as he is used to in the GUI version (or as close as possible).
Thanks !
... View more