topic Re: How to run a search and retrieve elements from a Splunk API in java in Splunk Search

How to run a search and retrieve elements from a Splunk API in java

kalyani1184 — Mon, 25 Mar 2013 17:14:00 GMT

Hi.
I am trying to run a search from a Splunk API in java, store the results with fields host, sourcetype, source in the JobResultsArgs and stored in an input stream. Now I want to run through each result and retrieve the host and source.

public void search(String query,String startDate, String endDate){
        String url = System.getProperty("SPLUNK.HOST");
        int port = Integer.getInteger("SPLUNK.PORT");
        String username = System.getProperty("SPLUNK.USERNAME");
        String password = System.getProperty("SPLUNK.PASSWORD");
        String searchQuery_normal = "search * | head 100";



        Service client = new Service(url.trim(), port);
        client.login(username, password);
        JobArgs jobArgs = new  JobArgs(); 
        jobArgs.setEarliestTime(startDate);
        jobArgs.setLatestTime(endDate);
        Job job = client.getJobs().create(searchQuery_normal,jobArgs);  
        while (!job.isDone()) {
             try {
                 Thread.sleep(500);
             } catch (InterruptedException e) {
                 // TODO Auto-generated catch block
                 e.printStackTrace();
             }
         }

         JobResultsArgs jobRes = new JobResultsArgs();
         String[] fields = {"_raw" , "host", "sourcetype", "source"};
         jobRes.setFieldList(fields);
         jobRes.setCount(2500);
         InputStream inpStream = job.getResults(jobRes);  
         System.out.println("result size: " + job.getResultCount());
         for (int i = 0; i < job.getResultCount(); i++){

Here I want to get the host and source. I am stuck here.
Can you please help me, how I can proceed. I know I can use the RessultReadonJson but not sure how to retrieve those elements.
Is there an example of this kind?

Re: How to run a search and retrieve elements from a Splunk API in java

Neeraj_Luthra — Mon, 28 Sep 2020 13:36:01 GMT

Try this code:

InputStream inpStream = job.getResults(jobRes);

System.out.println("result size: " + job.getResultCount());

ResultsReaderXml resultsReader = new ResultsReaderXml(inpStream);

Event event = null;

while ((event = resultsReader.getNextEvent()) != null) {

    System.out.println("_raw:" + event.get("_raw"));

    System.out.println("host:" + event.get("host"));

    System.out.println("sourcetype:" + event.get("sourcetype"));

    System.out.println("source:" + event.get("source"));

}

Similarly you can use ResultsReaderJson as well.

You can also refer to sample code in the How-To section of our Java SDK.

Re: How to run a search and retrieve elements from a Splunk API in java

kalyani1184 — Mon, 25 Mar 2013 18:20:06 GMT

Thank You for the quick response.

Re: How to run a search and retrieve elements from a Splunk API in java

kalyani1184 — Mon, 25 Mar 2013 20:07:42 GMT

System.out.println("result size: " + job.getResultCount());

Does this statement gives the number of times the search query was found or 100 as initializes in the searchQuery_normal becausde i am getting 100 everytime.

Re: How to run a search and retrieve elements from a Splunk API in java

Neeraj_Luthra — Mon, 25 Mar 2013 20:46:29 GMT

getResultsCount is the total count of results returned by the job. Keep in mind that this is different from getEventCount. You can read more here.

Btw, I think the reason you are getting 100 is because of your you have " ... | head 100" in your search query.

Re: How to run a search and retrieve elements from a Splunk API in java

kalyani1184 — Tue, 26 Mar 2013 14:15:21 GMT

Can we give
Job job = client.getJobs().create(searchQuery,jobArgs);
without giving the "...|head 100". I was thrown an error when i tried to give just the search query,start time and end time arguments.

Re: How to run a search and retrieve elements from a Splunk API in java

Neeraj_Luthra — Tue, 26 Mar 2013 14:59:07 GMT

You may be passing invalid arguments during creation. Keep in mind that the list of arguments are different for creation vs. getting results. Please review the documentation for How to run searches.

Re: How to run a search and retrieve elements from a Splunk API in java

kalyani1184 — Tue, 26 Mar 2013 15:09:39 GMT

I want to search for a query with in the starttime and endTime. So i am taking jobargs.setEarliestTime(startTime) and jobargs.setLatestTime(endTime) and sending these arguments alsong with creting a seatch job.

Re: How to run a search and retrieve elements from a Splunk API in java

Neeraj_Luthra — Tue, 26 Mar 2013 15:28:12 GMT

You may not be passing the values in the right format. Here is a way to pass time strings and you can also pass in relative time like "-20m@m". Please go through the documentation to learn more about job arguments.

JobArgs jobArgs = new JobArgs();

jobArgs.setEarliestTime("2013-03-26T00:00:00.000-07:00");

Job job = service.getJobs().create("search index=_internal", jobArgs);

while (!job.isDone()) {

    Thread.sleep(500);

}

System.out.println(job.getResultCount());

Re: How to run a search and retrieve elements from a Splunk API in java

kalyani1184 — Tue, 26 Mar 2013 16:19:52 GMT

This is the way i am passing the time strings but i need to pass a query which is a string I stored in a variable. I want to pass that string. Instead of
Job job = service.getJobs().create("search index=_internal", jobArgs); can i use
Job job = service.getJobs().create(searchQuery, jobArgs);
where searchQuery has the string i am search for.

Re: How to run a search and retrieve elements from a Splunk API in java

Neeraj_Luthra — Tue, 26 Mar 2013 16:41:58 GMT

Yes, you can.

Re: How to run a search and retrieve elements from a Splunk API in java

kalyani1184 — Tue, 26 Mar 2013 16:48:00 GMT

When i tried like that it is showing an error :

HTTP 400 -- Error in 'SearchParser': Missing a search command before '"'.

Re: How to run a search and retrieve elements from a Splunk API in java

Neeraj_Luthra — Tue, 26 Mar 2013 16:59:41 GMT

Can you tell me what value are you passing for searchQuery variable?

Re: How to run a search and retrieve elements from a Splunk API in java

kalyani1184 — Tue, 26 Mar 2013 17:10:58 GMT

"" + \"java.sql.SQLException: Closed Connection\"

This is the query i am passing with escape character for the quotes in the string

Re: How to run a search and retrieve elements from a Splunk API in java

Neeraj_Luthra — Tue, 26 Mar 2013 17:17:13 GMT

Try this - searchQuery = "search java.sql.SQLException: Closed Connection";

Re: How to run a search and retrieve elements from a Splunk API in java

kalyani1184 — Tue, 26 Mar 2013 18:16:26 GMT

Thanks a lot. Its working

Re: How to run a search and retrieve elements from a Splunk API in java

kalyani1184 — Tue, 26 Mar 2013 18:36:38 GMT

Instead of giving the search string directly as "search java.sql.SQLException: Closed Connection" can we store that in a variable and use it as we are passing that string from another method.

Re: How to run a search and retrieve elements from a Splunk API in java

Neeraj_Luthra — Tue, 26 Mar 2013 18:48:30 GMT

Yeah, absolutely. Just make sure to put the search keyword before the search criteria. Good luck.

Re: How to run a search and retrieve elements from a Splunk API in java

harikag — Mon, 29 Jul 2019 12:14:30 GMT

@kalyani1184 -> could you please help me in export the search results in splunk java sdk.