Hello,
I'm new with Java SDK and this is what I don't understand in my use of it so far :
Question 1:
I am using the search command with this search string :
String query = "search index=_internal | head 2";
I get the following results :
EVENT:********
  _bkt --> _internal~12~73571641-98D7-4A7F-BXXXXXXXX
  _cd --> 12:738551
  _serial --> 0
  _raw --> XXX.XXX.XXX.X - admin [21/Aug/2018:16:46:59.961 +0200] "GET /XXX/XXX/XXXX HTTP/1.1" 200 4930 - - - 1ms
  splunk_server --> XXX-XXX
  index --> _internal
  source --> C:\Program Files\Splunk\XXXXXX\splunkd_access.log
  _indextime --> 15345510
  _subsecond --> .961
  linecount --> 1
  _si --> XXX-XXX,_internal
  host --> XXX-XXX
  _sourcetype --> splunkd_access
  sourcetype --> splunkd_access
  _time --> 2018-08-21T16:46:59.961+02:00
EVENT:********
  _bkt --> _internal~12~73571641-98D7-4A7F-B8A6-BXXXXXXXX
  _cd --> 12:7389098
  _serial --> 1
  _raw --> 185.162.209.1 - admin [21/Aug/2018:16:46:59.705 +0200] "POST /XXX/XXX/XXXHTTP/1.1" 200 170 - - - 10ms
  splunk_server --> XXX-XXX
  index --> _internal
  source --> C:\Program Files\Splunk\XXX\splunkd_access.log
  _indextime --> 1534865515
  _subsecond --> .705
  linecount --> 1
  _si --> XXX-XXX,_internal
  host --> XXX-XXX
  _sourcetype --> splunkd_access
  sourcetype --> splunkd_access
  _time --> 2018-08-21T16:46:59.705+02:00
Can you tell me why this search string :
String query = "search index=_internal _serial=0 | head 2 ";
does not return anything ? Because I expected to retrieve the first EVENT
Question 2:
Does the search string always have to mention an index name ? Because I thought searching by keyword would work with the Java SDK and it is not (for example : "search _serial=0" returns nothing). 
In general, how different are the syntax that we use in the GUI version and the command lines ? Are the boolean operators accepted in command lines for example ?
My main goal is allowing the user to use my app as he is used to in the GUI version (or as close as possible).
Thanks !
 
					
				
		
@michel_hc instead on depending on SDK, can you not do | head 1 to get first result instead of head 2?
Hi! My app is in Java and I chose to use this SDK to integrate Splunk to it so it relies on it. But I'm just playing around with it for the moment as I'm new with it and all I can see this far is that search strings that I pass to the SDK make sense to me but no results are returned ; I don't see why the second query wouldn't work.
I'm just trying to understand what's wrong and what syntax I should use because these don't work either:
String query = "search index=_internal _serial=0 | head 1";
String query = "search index=_internal _serial=0";
String query = "search index=_internal _serial='0'";
String query = "search index=_internal AND _serial=0";
String query = "search index=_internal and _serial=0";
Thanks for your help!
 
					
				
		
I meant the following without _serial=0:
String query = "search index=_internal | head 1";
Hi! The results are not the point actually. I'm just trying to understand how search strings work using the Java SDK. Why are the different queries that I mentioned not returning anything ?
I can't seem to find any information about the syntax. 
Or am I missing some parameters for them to work ?
 
					
				
		
If I bring you to SPL alone (without Splunk SDK), the search query that you are building looks at Splunk's _internal index and tries to find an internal field _serial with value 0. Which from my understanding does not exist. So you do not get any results back. 
For example Just take following two queries as is and try running in Splunk Search:
search index=_internal | head 1search index=_internal _serial=0 | head 1
PS: Splunk Search by default adds a search keyword before our query in case it is not a generating command i.e. starting with pipe | like | makeresults. So, it will remove search command from the search string when you paste in Splunk Search bar.Ok, I have the expected results with this following query:
String query = "search index=_internal | where _serial=0";
Now I'm just wondering if it is possible to make a search without mentioning an index.
For example, what if I wanted to know the indexes containing a certain keyword, how would I do ? 
Or what if I wanted to list all the available indexes ?
Thanks!
