Solved: How to run a search and retrieve elements from a S...

kalyani1184 · ‎03-25-2013

Hi.
I am trying to run a search from a Splunk API in java, store the results with fields host, sourcetype, source in the JobResultsArgs and stored in an input stream. Now I want to run through each result and retrieve the host and source.

public void search(String query,String startDate, String endDate){
        String url = System.getProperty("SPLUNK.HOST");
        int port = Integer.getInteger("SPLUNK.PORT");
        String username = System.getProperty("SPLUNK.USERNAME");
        String password = System.getProperty("SPLUNK.PASSWORD");
        String searchQuery_normal = "search * | head 100";



        Service client = new Service(url.trim(), port);
        client.login(username, password);
        JobArgs jobArgs = new  JobArgs(); 
        jobArgs.setEarliestTime(startDate);
        jobArgs.setLatestTime(endDate);
        Job job = client.getJobs().create(searchQuery_normal,jobArgs);  
        while (!job.isDone()) {
             try {
                 Thread.sleep(500);
             } catch (InterruptedException e) {
                 // TODO Auto-generated catch block
                 e.printStackTrace();
             }
         }

         JobResultsArgs jobRes = new JobResultsArgs();
         String[] fields = {"_raw" , "host", "sourcetype", "source"};
         jobRes.setFieldList(fields);
         jobRes.setCount(2500);
         InputStream inpStream = job.getResults(jobRes);  
         System.out.println("result size: " + job.getResultCount());
         for (int i = 0; i < job.getResultCount(); i++){

Here I want to get the host and source. I am stuck here.
Can you please help me, how I can proceed. I know I can use the RessultReadonJson but not sure how to retrieve those elements.
Is there an example of this kind?

Neeraj_Luthra · ‎03-25-2013

Try this code:

InputStream inpStream = job.getResults(jobRes);

System.out.println("result size: " + job.getResultCount());

ResultsReaderXml resultsReader = new ResultsReaderXml(inpStream);

Event event = null;

while ((event = resultsReader.getNextEvent()) != null) {

    System.out.println("_raw:" + event.get("_raw"));

    System.out.println("host:" + event.get("host"));

    System.out.println("sourcetype:" + event.get("sourcetype"));

    System.out.println("source:" + event.get("source"));

}

Similarly you can use ResultsReaderJson as well.

You can also refer to sample code in the How-To section of our Java SDK.

View solution in original post

Neeraj_Luthra · ‎03-26-2013

You may be passing invalid arguments during creation. Keep in mind that the list of arguments are different for creation vs. getting results. Please review the documentation for How to run searches.

Neeraj_Luthra · ‎03-26-2013

Yeah, absolutely. Just make sure to put the search keyword before the search criteria. Good luck.

harikag · ‎07-29-2019

@kalyani1184 -> could you please help me in export the search results in splunk java sdk.

kalyani1184 · ‎03-26-2013

Instead of giving the search string directly as "search java.sql.SQLException: Closed Connection" can we store that in a variable and use it as we are passing that string from another method.

kalyani1184 · ‎03-26-2013

Thanks a lot. Its working

Neeraj_Luthra · ‎03-26-2013

Try this - searchQuery = "search java.sql.SQLException: Closed Connection";

kalyani1184 · ‎03-26-2013

"" + \"java.sql.SQLException: Closed Connection\"

This is the query i am passing with escape character for the quotes in the string

Neeraj_Luthra · ‎03-26-2013

Can you tell me what value are you passing for searchQuery variable?

kalyani1184 · ‎03-26-2013

When i tried like that it is showing an error :

HTTP 400 -- Error in 'SearchParser': Missing a search command before '"'.

Neeraj_Luthra · ‎03-26-2013

Yes, you can.

kalyani1184 · ‎03-26-2013

This is the way i am passing the time strings but i need to pass a query which is a string I stored in a variable. I want to pass that string. Instead of
Job job = service.getJobs().create("search index=_internal", jobArgs); can i use
Job job = service.getJobs().create(searchQuery, jobArgs);
where searchQuery has the string i am search for.

Neeraj_Luthra · ‎03-26-2013

You may not be passing the values in the right format. Here is a way to pass time strings and you can also pass in relative time like "-20m@m". Please go through the documentation to learn more about job arguments.

JobArgs jobArgs = new JobArgs();

jobArgs.setEarliestTime("2013-03-26T00:00:00.000-07:00");

Job job = service.getJobs().create("search index=_internal", jobArgs);

while (!job.isDone()) {

    Thread.sleep(500);

}

System.out.println(job.getResultCount());

kalyani1184 · ‎03-26-2013

I want to search for a query with in the starttime and endTime. So i am taking jobargs.setEarliestTime(startTime) and jobargs.setLatestTime(endTime) and sending these arguments alsong with creting a seatch job.

Neeraj_Luthra · ‎03-25-2013

Try this code:

InputStream inpStream = job.getResults(jobRes);

System.out.println("result size: " + job.getResultCount());

ResultsReaderXml resultsReader = new ResultsReaderXml(inpStream);

Event event = null;

while ((event = resultsReader.getNextEvent()) != null) {

    System.out.println("_raw:" + event.get("_raw"));

    System.out.println("host:" + event.get("host"));

    System.out.println("sourcetype:" + event.get("sourcetype"));

    System.out.println("source:" + event.get("source"));

}

Similarly you can use ResultsReaderJson as well.

You can also refer to sample code in the How-To section of our Java SDK.

kalyani1184 · ‎03-26-2013

Can we give
Job job = client.getJobs().create(searchQuery,jobArgs);
without giving the "...|head 100". I was thrown an error when i tried to give just the search query,start time and end time arguments.

Neeraj_Luthra · ‎03-25-2013

getResultsCount is the total count of results returned by the job. Keep in mind that this is different from getEventCount. You can read more here.

Btw, I think the reason you are getting 100 is because of your you have " ... | head 100" in your search query.

kalyani1184 · ‎03-25-2013

System.out.println("result size: " + job.getResultCount());

Does this statement gives the number of times the search query was found or 100 as initializes in the searchQuery_normal becausde i am getting 100 everytime.

kalyani1184 · ‎03-25-2013

Thank You for the quick response.

How to run a search and retrieve elements from a Splunk API in java

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...