topic Re: search using the Splunk API to get back a single result(not streaming) without using a saved search or SID? in Splunk Search

search using the Splunk API to get back a single result(not streaming) without using a saved search or SID?

vasanthi77 — Thu, 05 Sep 2019 13:16:54 GMT

can we run a search using the Splunk API to get back a single result(not streaming) without using a saved search or SID?

I tried export like below which is giving streamed output, i want single result

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json

I tried post like this , giving me SID( i dont wnt to use SID r saved search )

curl -k -u admin:admin https://searchhead:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search * | stats max(_time) AS _time BY "pctIdle" | sort 0 - _time | head 1|rename "pctIdle" AS Value " -d id=mysearch_0215194643 -d max_count=50000 -d status_buckets=300

Any other way to get results with out SID r saved search?

Re: search using the Splunk API to get back a single result(not streaming) without using a saved search or SID?

harsmarvania57 — Thu, 05 Sep 2019 15:02:01 GMT

Hi,

You can achieve this with your first search

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json

but the problem is you didn't mention any time frame in your search and due to that it will search All Time and by default preview=true so it will preview result constantly as splunk is searching more data.

So you can try below command , in which you can specify earliest_time and latest_time& disable preview.

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json -d preview=false -d earliest_time=-15m -d latest_time=now

Re: search using the Splunk API to get back a single result(not streaming) without using a saved search or SID?

vasanthi77 — Thu, 05 Sep 2019 23:46:58 GMT

@harsmarvania57 getting this error response

  <response>
  <messages>
  <msg type="FATAL">
  Invalid sid: export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json -d preview=false -d earliest_time=-15m -d latest_time=now
  </msg>
  </messages>
  </response>

Re: search using the Splunk API to get back a single result(not streaming) without using a saved search or SID?

vasanthi77 — Fri, 06 Sep 2019 01:50:58 GMT

@harsmarvania57 Thanks for responding. It working as expected .

https://search head:8089/services/search/jobs/export?search=search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value&preview=false&earliest_time=-2m&latest_time=now&output_mode=json

Re: search using the Splunk API to get back a single result(not streaming) without using a saved search or SID?

harsmarvania57 — Fri, 06 Sep 2019 08:35:15 GMT

Glad that it worked.