topic Re: Java SDK - Search strings syntax understanding in Splunk Search

Java SDK - Search strings syntax understanding

michel_hc — Tue, 29 Sep 2020 21:00:28 GMT

Hello,

I'm new with Java SDK and this is what I don't understand in my use of it so far :

Question 1:

I am using the search command with this search string :

String query = "search index=_internal | head 2";

I get the following results :

EVENT:********
_bkt --> _internal~12~73571641-98D7-4A7F-BXXXXXXXX
_cd --> 12:738551
_serial --> 0
_raw --> XXX.XXX.XXX.X - admin [21/Aug/2018:16:46:59.961 +0200] "GET /XXX/XXX/XXXX HTTP/1.1" 200 4930 - - - 1ms
splunk_server --> XXX-XXX
index --> _internal
source --> C:\Program Files\Splunk\XXXXXX\splunkd_access.log
_indextime --> 15345510
_subsecond --> .961
linecount --> 1
_si --> XXX-XXX,_internal
host --> XXX-XXX
_sourcetype --> splunkd_access
sourcetype --> splunkd_access
_time --> 2018-08-21T16:46:59.961+02:00
EVENT:********
_bkt --> _internal~12~73571641-98D7-4A7F-B8A6-BXXXXXXXX
_cd --> 12:7389098
_serial --> 1
_raw --> 185.162.209.1 - admin [21/Aug/2018:16:46:59.705 +0200] "POST /XXX/XXX/XXXHTTP/1.1" 200 170 - - - 10ms
splunk_server --> XXX-XXX
index --> _internal
source --> C:\Program Files\Splunk\XXX\splunkd_access.log
_indextime --> 1534865515
_subsecond --> .705
linecount --> 1
_si --> XXX-XXX,_internal
host --> XXX-XXX
_sourcetype --> splunkd_access
sourcetype --> splunkd_access
_time --> 2018-08-21T16:46:59.705+02:00

Can you tell me why this search string :

String query = "search index=_internal _serial=0 | head 2 ";

does not return anything ? Because I expected to retrieve the first EVENT

Question 2:

Does the search string always have to mention an index name ? Because I thought searching by keyword would work with the Java SDK and it is not (for example : "search _serial=0" returns nothing).
In general, how different are the syntax that we use in the GUI version and the command lines ? Are the boolean operators accepted in command lines for example ?
My main goal is allowing the user to use my app as he is used to in the GUI version (or as close as possible).

Thanks !

Re: Java SDK - Search strings syntax understanding

niketn — Tue, 21 Aug 2018 17:40:27 GMT

@michel_hc instead on depending on SDK, can you not do | head 1 to get first result instead of head 2?

Re: Java SDK - Search strings syntax understanding

michel_hc — Tue, 29 Sep 2020 21:00:52 GMT

Hi! My app is in Java and I chose to use this SDK to integrate Splunk to it so it relies on it. But I'm just playing around with it for the moment as I'm new with it and all I can see this far is that search strings that I pass to the SDK make sense to me but no results are returned ; I don't see why the second query wouldn't work.

I'm just trying to understand what's wrong and what syntax I should use because these don't work either:
String query = "search index=_internal _serial=0 | head 1";
String query = "search index=_internal _serial=0";
String query = "search index=_internal _serial='0'";
String query = "search index=_internal AND _serial=0";
String query = "search index=_internal and _serial=0";

Thanks for your help!

Re: Java SDK - Search strings syntax understanding

niketn — Wed, 22 Aug 2018 10:06:54 GMT

I meant the following without _serial=0:

String query = "search index=_internal | head 1";

Re: Java SDK - Search strings syntax understanding

michel_hc — Wed, 22 Aug 2018 11:42:53 GMT

Hi! The results are not the point actually. I'm just trying to understand how search strings work using the Java SDK. Why are the different queries that I mentioned not returning anything ?
I can't seem to find any information about the syntax.
Or am I missing some parameters for them to work ?

Re: Java SDK - Search strings syntax understanding

niketn — Tue, 29 Sep 2020 20:58:39 GMT

If I bring you to SPL alone (without Splunk SDK), the search query that you are building looks at Splunk's _internal index and tries to find an internal field _serial with value 0. Which from my understanding does not exist. So you do not get any results back.

For example Just take following two queries as is and try running in Splunk Search:

search index=_internal | head 1
search index=_internal _serial=0 | head 1 PS: Splunk Search by default adds a search keyword before our query in case it is not a generating command i.e. starting with pipe | like | makeresults. So, it will remove search command from the search string when you paste in Splunk Search bar.

Re: Java SDK - Search strings syntax understanding

michel_hc — Thu, 23 Aug 2018 11:58:18 GMT

Ok, I have the expected results with this following query:

String query = "search index=_internal | where _serial=0";

Now I'm just wondering if it is possible to make a search without mentioning an index.
For example, what if I wanted to know the indexes containing a certain keyword, how would I do ?
Or what if I wanted to list all the available indexes ?

Thanks!