Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Java API query syntax failure

tdhealy
Explorer
‎03-27-2018 11:21 AM

I''m using Splunk 6.6.3, Java API 1.6.4.0, Java 1.8.0_45, IntelliJ IDE.

I'm making part of a simple application that checks that a given system is actively logging, where the sourceType, hostname, and minutes back from present are being read from a database and become part of the query.

An equivalent search query that works as expected in Splunk GUI, with time set as "Last 60 minutes" would be:

sourcetype=WinEventLog:Security host=abcxyz | head 1

I'm working from the examples provided, but none seem to show multiple arguments i.e. sourcetype, host, time range. In the code below, if I set:

String mySearch = "search host="+ lsb.getSystem() + " "; // just a host String

It will work for at least some hosts.

If I try to add the sourcetype, all will fail:

String mySearch = "search sourcetype=WinEventLog:Security host="+ lsb.getSystem() + " ";

Note: In the code below, the method minutesBackString() returns a String like: "2018-03-27T12:53:46.626-04:00"

Can someone suggest a combination that will give the equivalent result of the GUI search? Ideally I would specify the field list, but I can get by without that. Any suggestions very much appreciated. Please Ignore the boolean return for now - it will be dependent on the content returned by the query.

private boolean oneSystem(LoggingSystemBean lsb) {

    boolean retval = false;

    String mySearch = "search sourcetype=WinEventLog:Security host="+ lsb.getSystem() + " "; // lsb.system is String
    JobArgs jobargs = new JobArgs();
    jobargs.setExecutionMode(JobArgs.ExecutionMode.NORMAL);
    jobargs.setEarliestTime(minutesBackString(60));
    jobargs.setLatestTime(minutesBackString(0));
    jobargs.setMaximumCount(1);

    Job job = service.getJobs().create(mySearch, jobargs);

    try {
        while ( !job.isDone() ) {

            Thread.sleep(500);
        }
    } catch (InterruptedException ie) {

    }
    // Display results
    InputStream results = job.getResults();
    String line = null;
    try {
        BufferedReader br = new BufferedReader(new InputStreamReader(results, "UTF-8"));
        while ( (line = br.readLine()) != null ) {

            System.out.println(line);
        }
        br.close();

    } catch (Exception ex) {

        errLog.severe(ex.getMessage() + "\n" + ExceptionUtils.getStackTrace(ex));
    }
    return (retval);

}

0 Karma
Reply

logloganathan
Motivator
‎03-28-2018 10:10 AM

Hi,

Could you please do the following
1) please check if the particular host log coming to mentioned sourcetype
2)please put only sourcetype in the java search as follow
Search sourcetype=WinEventLog:Security | stats count by host

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top