Splunk Search

Is there an option to stop a search job after a certain time through Splunk REST API?

I have a Splunk search which takes long time to execute. I want to stop the Splunk job if it doesn't complete in a minute or 2. Does Splunk REST API have an option for that?

I tried autocancel, timeout and job.cancel, nothing works. Any help greatly appreciated.

code snippet

    JobArgs jobargs = new JobArgs();
    jobargs.setAutoCancel(60);
    jobargs.setTimeout(0);
    jobargs.setExecutionMode(JobArgs.ExecutionMode.BLOCKING);

Service service =splunkconnection.connect();            
Job job = service.getJobs().create(query, jobargs);

JobResultsArgs resultsArgs = new JobResultsArgs();
resultsArgs.setCount(0);
resultsArgs.setOutputMode(JobResultsArgs.OutputMode.JSON);
InputStream resultsNormalSearch = job.getResults(resultsArgs);

reader= new ResultsReaderJson(resultsNormalSearch);
HashMap<String, String> event;
while ((event = reader.getNextEvent()) != null) {
  -- process response
}
resultsReader.close();
job.cancel();
0 Karma

Motivator

It looks like you can send a cancel request via the job control API:

http://docs.splunk.com/Documentation/Splunk/6.4.3/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D...

It doesn't look exactly like what you are looking for, but there is also an auto_cancel and auto_finalize option to the jobs method when you submit a job.

http://docs.splunk.com/Documentation/Splunk/6.4.3/RESTREF/RESTsearch#POST_search.2Fjobs_method_detai...

we can't get the jobid to send a cancel request. but the auto cancel seems to be working. Thanks.

0 Karma

Does any know how to implement this?

0 Karma