Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Java API query syntax failure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Java API query syntax failure
I''m using Splunk 6.6.3, Java API 1.6.4.0, Java 1.8.0_45, IntelliJ IDE.
I'm making part of a simple application that checks that a given system is actively logging, where the sourceType, hostname, and minutes back from present are being read from a database and become part of the query.
An equivalent search query that works as expected in Splunk GUI, with time set as "Last 60 minutes" would be:
sourcetype=WinEventLog:Security host=abcxyz | head 1
I'm working from the examples provided, but none seem to show multiple arguments i.e. sourcetype, host, time range. In the code below, if I set:
String mySearch = "search host="+ lsb.getSystem() + " "; // just a host String
It will work for at least some hosts.
If I try to add the sourcetype, all will fail:
String mySearch = "search sourcetype=WinEventLog:Security host="+ lsb.getSystem() + " ";
Note: In the code below, the method minutesBackString() returns a String like: "2018-03-27T12:53:46.626-04:00"
Can someone suggest a combination that will give the equivalent result of the GUI search? Ideally I would specify the field list, but I can get by without that. Any suggestions very much appreciated. Please Ignore the boolean return for now - it will be dependent on the content returned by the query.
private boolean oneSystem(LoggingSystemBean lsb) {
boolean retval = false;
String mySearch = "search sourcetype=WinEventLog:Security host="+ lsb.getSystem() + " "; // lsb.system is String
JobArgs jobargs = new JobArgs();
jobargs.setExecutionMode(JobArgs.ExecutionMode.NORMAL);
jobargs.setEarliestTime(minutesBackString(60));
jobargs.setLatestTime(minutesBackString(0));
jobargs.setMaximumCount(1);
Job job = service.getJobs().create(mySearch, jobargs);
try {
while ( !job.isDone() ) {
Thread.sleep(500);
}
} catch (InterruptedException ie) {
}
// Display results
InputStream results = job.getResults();
String line = null;
try {
BufferedReader br = new BufferedReader(new InputStreamReader(results, "UTF-8"));
while ( (line = br.readLine()) != null ) {
System.out.println(line);
}
br.close();
} catch (Exception ex) {
errLog.severe(ex.getMessage() + "\n" + ExceptionUtils.getStackTrace(ex));
}
return (retval);
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Could you please do the following
1) please check if the particular host log coming to mentioned sourcetype
2)please put only sourcetype in the java search as follow
Search sourcetype=WinEventLog:Security | stats count by host
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
