Developing for Splunk Enterprise

Splunk SDK search with aggregates returns zeros for aggregate values.

Engager

I'm trying to export data from Splunk using the Java SDK. The search I'm using includes aggregate functions avg, min and max. The search works fine in Splunk Search web app but when exporting via SDK the aggregate values return zeros. A count value does return data as well as the time field. I've exported the values as JSON, XML and CSV and all return values in the raw output stream. Is this an issue with the aggregates values being decimals? Are they handled differently?

Tags (2)

Splunk Employee
Splunk Employee

The search query string, when used from Java SDK needs to have special characters like backslash (\) properly escaped. After working more with @cwilen we learnt that lack of escaping these characters was causing this problem.

Lesson learned: The search query string that works in Splunk UI may not work as-is from the SDK if it has special characters that need escaping.

0 Karma

Splunk Employee
Splunk Employee

I believe we are helping you through the support case. We will update this post once we are able to resolve your issue with the findings from that case.

0 Karma