Splunk SDK API Search String Syntax Problem

charles_corder — Wed, 06 Dec 2017 21:27:49 GMT

I Have Two Queries That Both Work In Splunk Web Ui

This Query Works In Web UI BUT NOT In Api
I Probaly Have A Syntax Problem

Can I Get Some Help

 var query = "search index=main sourcetype=dg_dlp host=G2UA7301XP2E earliest=\"12/5/2017:00:00:00\" latest=\"12/5/2017:23:59:00\" Operation=12 User_Name=\"logon\\212000846\"";

static async Task Run(Service service)
{
  try
  {
    // Login
    await service.LogOnAsync("admin", "changeme");

    // This One Returns Data In Web UI and Data In API
    //var query = "search index=_internal | head 5";

    // This One Returns Data In Web UI and NO Data IN API -- Must Be A Syntax Problem
    var query = "search index=main sourcetype=dg_dlp host=G2UA7301XP2E earliest=\"12/5/2017:00:00:00\" latest=\"12/5/2017:23:59:00\" Operation=12 User_Name=\"logon\\212000846\"";
    var args = new JobArgs
    {
      // For a full list of options, see:
      //
      //     http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#POST_search.2Fjobs
      //EarliestTime = "-1w",
      //LatestTime = "now"
    };

    using (SearchResultStream resultStream = await service.SearchOneShotAsync(query, args: args))
    {
      foreach (SearchResult result in resultStream)
      {
        Console.WriteLine(result);
      }
    }
  }
  catch (Exception ex)
  {
    string strError = "";
    strError = ex.Message;
  }
}

Re: Splunk SDK API Search String Syntax Problem

damien_chillet — Thu, 07 Dec 2017 10:29:36 GMT

Hi Charles,

After creating the job with the API, you can go find it in the job activity to see if it ran as you expected.
I would suggest you have a look at the User_Name field.

Because of escaping you may be loosing a "\" in the User_Name you are looking for, therefore getting no results!

topic Re: Splunk SDK API Search String Syntax Problem in Splunk Dev

Splunk SDK API Search String Syntax Problem

Re: Splunk SDK API Search String Syntax Problem