Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Java API query syntax failure

tdhealy
Explorer
‎03-27-2018 11:21 AM

I''m using Splunk 6.6.3, Java API 1.6.4.0, Java 1.8.0_45, IntelliJ IDE.

I'm making part of a simple application that checks that a given system is actively logging, where the sourceType, hostname, and minutes back from present are being read from a database and become part of the query.

An equivalent search query that works as expected in Splunk GUI, with time set as "Last 60 minutes" would be:

sourcetype=WinEventLog:Security host=abcxyz | head 1

I'm working from the examples provided, but none seem to show multiple arguments i.e. sourcetype, host, time range. In the code below, if I set:

String mySearch = "search host="+ lsb.getSystem() + " "; // just a host String

It will work for at least some hosts.

If I try to add the sourcetype, all will fail:

String mySearch = "search sourcetype=WinEventLog:Security host="+ lsb.getSystem() + " ";

Note: In the code below, the method minutesBackString() returns a String like: "2018-03-27T12:53:46.626-04:00"

Can someone suggest a combination that will give the equivalent result of the GUI search? Ideally I would specify the field list, but I can get by without that. Any suggestions very much appreciated. Please Ignore the boolean return for now - it will be dependent on the content returned by the query.

private boolean oneSystem(LoggingSystemBean lsb) {

    boolean retval = false;

    String mySearch = "search sourcetype=WinEventLog:Security host="+ lsb.getSystem() + " "; // lsb.system is String
    JobArgs jobargs = new JobArgs();
    jobargs.setExecutionMode(JobArgs.ExecutionMode.NORMAL);
    jobargs.setEarliestTime(minutesBackString(60));
    jobargs.setLatestTime(minutesBackString(0));
    jobargs.setMaximumCount(1);

    Job job = service.getJobs().create(mySearch, jobargs);

    try {
        while ( !job.isDone() ) {

            Thread.sleep(500);
        }
    } catch (InterruptedException ie) {

    }
    // Display results
    InputStream results = job.getResults();
    String line = null;
    try {
        BufferedReader br = new BufferedReader(new InputStreamReader(results, "UTF-8"));
        while ( (line = br.readLine()) != null ) {

            System.out.println(line);
        }
        br.close();

    } catch (Exception ex) {

        errLog.severe(ex.getMessage() + "\n" + ExceptionUtils.getStackTrace(ex));
    }
    return (retval);

}

0 Karma
Reply

logloganathan
Motivator
‎03-28-2018 10:10 AM

Hi,

Could you please do the following
1) please check if the particular host log coming to mentioned sourcetype
2)please put only sourcetype in the java search as follow
Search sourcetype=WinEventLog:Security | stats count by host

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...