Splunk Search

Java SDK - Search strings syntax understanding

michel_hc
New Member

Hello,

I'm new with Java SDK and this is what I don't understand in my use of it so far :

Question 1:

I am using the search command with this search string :

String query = "search index=_internal | head 2";

I get the following results :

EVENT:********
_bkt --> _internal~12~73571641-98D7-4A7F-BXXXXXXXX
_cd --> 12:738551
_serial --> 0
_raw --> XXX.XXX.XXX.X - admin [21/Aug/2018:16:46:59.961 +0200] "GET /XXX/XXX/XXXX HTTP/1.1" 200 4930 - - - 1ms
splunk_server --> XXX-XXX
index --> _internal
source --> C:\Program Files\Splunk\XXXXXX\splunkd_access.log
_indextime --> 15345510
_subsecond --> .961
linecount --> 1
_si --> XXX-XXX,_internal
host --> XXX-XXX
_sourcetype --> splunkd_access
sourcetype --> splunkd_access
_time --> 2018-08-21T16:46:59.961+02:00
EVENT:********
_bkt --> _internal~12~73571641-98D7-4A7F-B8A6-BXXXXXXXX
_cd --> 12:7389098
_serial --> 1
_raw --> 185.162.209.1 - admin [21/Aug/2018:16:46:59.705 +0200] "POST /XXX/XXX/XXXHTTP/1.1" 200 170 - - - 10ms
splunk_server --> XXX-XXX
index --> _internal
source --> C:\Program Files\Splunk\XXX\splunkd_access.log
_indextime --> 1534865515
_subsecond --> .705
linecount --> 1
_si --> XXX-XXX,_internal
host --> XXX-XXX
_sourcetype --> splunkd_access
sourcetype --> splunkd_access
_time --> 2018-08-21T16:46:59.705+02:00

Can you tell me why this search string :

String query = "search index=_internal _serial=0 | head 2 ";

does not return anything ? Because I expected to retrieve the first EVENT

Question 2:

Does the search string always have to mention an index name ? Because I thought searching by keyword would work with the Java SDK and it is not (for example : "search _serial=0" returns nothing).
In general, how different are the syntax that we use in the GUI version and the command lines ? Are the boolean operators accepted in command lines for example ?
My main goal is allowing the user to use my app as he is used to in the GUI version (or as close as possible).

Thanks !

0 Karma

niketn
Legend

@michel_hc instead on depending on SDK, can you not do | head 1 to get first result instead of head 2?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

michel_hc
New Member

Hi! My app is in Java and I chose to use this SDK to integrate Splunk to it so it relies on it. But I'm just playing around with it for the moment as I'm new with it and all I can see this far is that search strings that I pass to the SDK make sense to me but no results are returned ; I don't see why the second query wouldn't work.

I'm just trying to understand what's wrong and what syntax I should use because these don't work either:
String query = "search index=_internal _serial=0 | head 1";
String query = "search index=_internal _serial=0";
String query = "search index=_internal _serial='0'";
String query = "search index=_internal AND _serial=0";
String query = "search index=_internal and _serial=0";

Thanks for your help!

0 Karma

niketn
Legend

I meant the following without _serial=0:

String query = "search index=_internal | head 1";
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

michel_hc
New Member

Hi! The results are not the point actually. I'm just trying to understand how search strings work using the Java SDK. Why are the different queries that I mentioned not returning anything ?
I can't seem to find any information about the syntax.
Or am I missing some parameters for them to work ?

0 Karma

niketn
Legend

If I bring you to SPL alone (without Splunk SDK), the search query that you are building looks at Splunk's _internal index and tries to find an internal field _serial with value 0. Which from my understanding does not exist. So you do not get any results back.

For example Just take following two queries as is and try running in Splunk Search:

  1. search index=_internal | head 1
  2. search index=_internal _serial=0 | head 1 PS: Splunk Search by default adds a search keyword before our query in case it is not a generating command i.e. starting with pipe | like | makeresults. So, it will remove search command from the search string when you paste in Splunk Search bar.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

michel_hc
New Member

Ok, I have the expected results with this following query:

String query = "search index=_internal | where _serial=0";

Now I'm just wondering if it is possible to make a search without mentioning an index.
For example, what if I wanted to know the indexes containing a certain keyword, how would I do ?
Or what if I wanted to list all the available indexes ?

Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...