https://community.splunk.com/t5/Getting-Data-In/Java-API-query-syntax-failure/m-p/294307#M55920 <P>Hi,</P> <P>Could you please do the following<BR /> 1) please check if the particular host log coming to mentioned sourcetype<BR /> 2)please put only sourcetype in the java search as follow<BR /> Search sourcetype=WinEventLog:Security | stats count by host</P> Wed, 28 Mar 2018 17:10:15 GMT logloganathan 2018-03-28T17:10:15Z https://community.splunk.com/t5/Getting-Data-In/Java-API-query-syntax-failure/m-p/294306#M55919 <P>I''m using Splunk 6.6.3, Java API 1.6.4.0, Java 1.8.0_45, IntelliJ IDE. </P> <P>I'm making part of a simple application that checks that a given system is actively logging, where the sourceType, hostname, and minutes back from present are being read from a database and become part of the query.</P> <P>An equivalent search query that works as expected in Splunk GUI, with time set as "Last 60 minutes" would be:</P> <P>sourcetype=WinEventLog:Security host=abcxyz | head 1</P> <P>I'm working from the examples provided, but none seem to show multiple arguments i.e. sourcetype, host, time range. In the code below, if I set:</P> <P>String mySearch = "search host="+ lsb.getSystem() + " "; // just a host String</P> <P>It will work for at least some hosts.</P> <P>If I try to add the sourcetype, all will fail:</P> <P>String mySearch = "search sourcetype=WinEventLog:Security host="+ lsb.getSystem() + " ";</P> <P>Note: In the code below, the method minutesBackString() returns a String like: "2018-03-27T12:53:46.626-04:00"</P> <P>Can someone suggest a combination that will give the equivalent result of the GUI search? Ideally I would specify the field list, but I can get by without that. Any suggestions very much appreciated. Please Ignore the boolean return for now - it will be dependent on the content returned by the query.</P> <P>private boolean oneSystem(LoggingSystemBean lsb) {</P> <PRE><CODE> boolean retval = false; String mySearch = "search sourcetype=WinEventLog:Security host="+ lsb.getSystem() + " "; // lsb.system is String JobArgs jobargs = new JobArgs(); jobargs.setExecutionMode(JobArgs.ExecutionMode.NORMAL); jobargs.setEarliestTime(minutesBackString(60)); jobargs.setLatestTime(minutesBackString(0)); jobargs.setMaximumCount(1); Job job = service.getJobs().create(mySearch, jobargs); try { while ( !job.isDone() ) { Thread.sleep(500); } } catch (InterruptedException ie) { } // Display results InputStream results = job.getResults(); String line = null; try { BufferedReader br = new BufferedReader(new InputStreamReader(results, "UTF-8")); while ( (line = br.readLine()) != null ) { System.out.println(line); } br.close(); } catch (Exception ex) { errLog.severe(ex.getMessage() + "\n" + ExceptionUtils.getStackTrace(ex)); } return (retval); </CODE></PRE> <P>} </P> Tue, 27 Mar 2018 18:21:47 GMT https://community.splunk.com/t5/Getting-Data-In/Java-API-query-syntax-failure/m-p/294306#M55919 tdhealy 2018-03-27T18:21:47Z https://community.splunk.com/t5/Getting-Data-In/Java-API-query-syntax-failure/m-p/294307#M55920 <P>Hi,</P> <P>Could you please do the following<BR /> 1) please check if the particular host log coming to mentioned sourcetype<BR /> 2)please put only sourcetype in the java search as follow<BR /> Search sourcetype=WinEventLog:Security | stats count by host</P> Wed, 28 Mar 2018 17:10:15 GMT https://community.splunk.com/t5/Getting-Data-In/Java-API-query-syntax-failure/m-p/294307#M55920 logloganathan 2018-03-28T17:10:15Z