How to create an 'all time' search with Splunk Rub...

TierSeven · ‎01-09-2017

In the UI, we have an option to search results from the beginning of out log collecting using the 'all time' option.

Is there a way of getting this info via the SDK?

If so, What are the best practices for that? I'm currently using create_searchgoing backwards one day and by that getting all the info, But i'm not sure this is the way to go.

hunters_splunk · ‎01-11-2017

Hi TierSeven,

Please refer to the Splunk REST API Reference Manual to see if any of the search endpoints can meet your specific requirements:
http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTREF/RESTsearch

Hope this helps. Thanks!
Hunter

reilly1 · ‎09-03-2017

I downvoted this post because does not answer the question

Motoko89 · ‎06-07-2017

I downvoted this post because answer not addressed the question

TierSeven · ‎01-11-2017

Thanks for the answer, I'm afraid i did not explain myself all that well.
I'm using the Splunk Ruby SDK (Which uses the REST API of course).
I'm trying to figure out how to retrieve every log entry i have on my Spluk since the beginning.
Currently i'm using create_searchbut i'm not sure this is the way to go.
I'll update the question.

dlamb_splunk · ‎01-09-2017

Are you looking for best practices regarding the REST API input or searching all time data?

TierSeven · ‎01-11-2017

regarding the REST API. I'm trying to get all logged events from the beginning.

How to create an 'all time' search with Splunk Ruby SDK?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation