Splunk Search

How to search Data Models with Javascript in a Search Manager or through a Data Model Object?

nprab428
Engager

I've created a data model and want to search it in my external Javascript. For my first attempt, a SearchManager would not start the search using the data model query:

    var datamodelSearch = new SearchManager({
        id: "datamodelSearch",
        search: '| datamodel test_commits commits search | where Commit = $commithash$ | head 5 ',
            earliest_time: '-30d'
            latest_time: 'now'
            preview: false,
        cache: true
    }, { tokens: true });

    datamodelSearch.on('search:start', function() {
        console.log('DM STARTED!!!'); // would never get here
    });

On a second attempt, I was trying to use the DataModelObject class, following this documentation:

http://dev.splunk.com/view/javascript-sdk/SP-CAAAEY8#workwithobjects

 var service = mvc.createService({ owner: "nobody" });
    service.dataModels().fetch(function(err, dataModels) { 
        var object = dataModels.item("test_commits").objectByName("commits");
        object.startSearch({}, "| head 5", function(err, job) {
            console.log("The job has name:", job.name);
            job.results({count: 5}, function(err, results, job) {
                 console.log("Fields: ", results.results); // results would be null
            });             
        });
    });

This second search created a search job with a search id, but I was not able to pull the results from the job. However, if I looked up the search id in the job inspector, I would correctly see 5 results.

Could anyone help me out?

1 Solution

nprab428
Engager

Turns out my searchmanager syntax was wrong (forgot commas around the time range, and quotes around the commit hash).

View solution in original post

0 Karma

nprab428
Engager

Turns out my searchmanager syntax was wrong (forgot commas around the time range, and quotes around the commit hash).

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If you have solved the issue, please convert your comment to an answer and accept the answer. It might also help others if you posted what you found to be the correct syntax.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...