Splunk Search
Highlighted

How to run a search and retrieve elements from a Splunk API in java

New Member

Hi.
I am trying to run a search from a Splunk API in java, store the results with fields host, sourcetype, source in the JobResultsArgs and stored in an input stream. Now I want to run through each result and retrieve the host and source.

public void search(String query,String startDate, String endDate){
        String url = System.getProperty("SPLUNK.HOST");
        int port = Integer.getInteger("SPLUNK.PORT");
        String username = System.getProperty("SPLUNK.USERNAME");
        String password = System.getProperty("SPLUNK.PASSWORD");
        String searchQuery_normal = "search * | head 100";



        Service client = new Service(url.trim(), port);
        client.login(username, password);
        JobArgs jobArgs = new  JobArgs(); 
        jobArgs.setEarliestTime(startDate);
        jobArgs.setLatestTime(endDate);
        Job job = client.getJobs().create(searchQuery_normal,jobArgs);  
        while (!job.isDone()) {
             try {
                 Thread.sleep(500);
             } catch (InterruptedException e) {
                 // TODO Auto-generated catch block
                 e.printStackTrace();
             }
         }

         JobResultsArgs jobRes = new JobResultsArgs();
         String[] fields = {"_raw" , "host", "sourcetype", "source"};
         jobRes.setFieldList(fields);
         jobRes.setCount(2500);
         InputStream inpStream = job.getResults(jobRes);  
         System.out.println("result size: " + job.getResultCount());
         for (int i = 0; i < job.getResultCount(); i++){

Here I want to get the host and source. I am stuck here.
Can you please help me, how I can proceed. I know I can use the RessultReadonJson but not sure how to retrieve those elements.
Is there an example of this kind?

0 Karma
Highlighted

Re: How to run a search and retrieve elements from a Splunk API in java

Splunk Employee
Splunk Employee

Try this code:

InputStream inpStream = job.getResults(jobRes);
System.out.println("result size: " + job.getResultCount());
ResultsReaderXml resultsReader = new ResultsReaderXml(inpStream);
Event event = null;
while ((event = resultsReader.getNextEvent()) != null) {
System.out.println("raw:" + event.get("raw"));
System.out.println("host:" + event.get("host"));
System.out.println("sourcetype:" + event.get("sourcetype"));
System.out.println("source:" + event.get("source"));
}

Similarly you can use ResultsReaderJson as well.

You can also refer to sample code in the How-To section of our Java SDK.

View solution in original post

Highlighted

Re: How to run a search and retrieve elements from a Splunk API in java

New Member

Thank You for the quick response.

0 Karma
Highlighted

Re: How to run a search and retrieve elements from a Splunk API in java

New Member

System.out.println("result size: " + job.getResultCount());

Does this statement gives the number of times the search query was found or 100 as initializes in the searchQuery_normal becausde i am getting 100 everytime.

0 Karma
Highlighted

Re: How to run a search and retrieve elements from a Splunk API in java

Splunk Employee
Splunk Employee

getResultsCount is the total count of results returned by the job. Keep in mind that this is different from getEventCount. You can read more here.

Btw, I think the reason you are getting 100 is because of your you have " ... | head 100" in your search query.

0 Karma
Highlighted

Re: How to run a search and retrieve elements from a Splunk API in java

New Member

Can we give
Job job = client.getJobs().create(searchQuery,jobArgs);
without giving the "...|head 100". I was thrown an error when i tried to give just the search query,start time and end time arguments.

0 Karma
Highlighted

Re: How to run a search and retrieve elements from a Splunk API in java

Splunk Employee
Splunk Employee

You may be passing invalid arguments during creation. Keep in mind that the list of arguments are different for creation vs. getting results. Please review the documentation for How to run searches.

0 Karma
Highlighted

Re: How to run a search and retrieve elements from a Splunk API in java

New Member

I want to search for a query with in the starttime and endTime. So i am taking jobargs.setEarliestTime(startTime) and jobargs.setLatestTime(endTime) and sending these arguments alsong with creting a seatch job.

0 Karma
Highlighted

Re: How to run a search and retrieve elements from a Splunk API in java

Splunk Employee
Splunk Employee

You may not be passing the values in the right format. Here is a way to pass time strings and you can also pass in relative time like "-20m@m". Please go through the documentation to learn more about job arguments.

JobArgs jobArgs = new JobArgs();
jobArgs.setEarliestTime("2013-03-26T00:00:00.000-07:00");
Job job = service.getJobs().create("search index=_internal", jobArgs);
while (!job.isDone()) {
Thread.sleep(500);
}
System.out.println(job.getResultCount());

0 Karma
Highlighted

Re: How to run a search and retrieve elements from a Splunk API in java

New Member

This is the way i am passing the time strings but i need to pass a query which is a string I stored in a variable. I want to pass that string. Instead of
Job job = service.getJobs().create("search index=_internal", jobArgs); can i use
Job job = service.getJobs().create(searchQuery, jobArgs);
where searchQuery has the string i am search for.

0 Karma