Solved: Java SDK: Why am I only getting one field with sta...

EricWehrly · ‎01-27-2016

I'm attempting to run the following search using the Splunk Java SDK:

index="[my_index]" sourcetype="[my_index]" | stats avg(response_time) by host

Of course, this gives me back my nice pretty response when run in the web GUI, but in the SDK, I get an entry for each host, but hardly any mention of the other field.
I've tried adding |head and |fields * and | fields avg(response_time), host (that one actually changed the response string that comes back and gave me a new order. yay), as well as adding response_time > 0 to the end of the search string (winds up bringing back nothing for reasons I can't understand).

I've looked at several other links that I can't link because you guys apparently don't accept reddit karma. But there were a bunch of suggested links when I made the title, and they were all purple.

The field transformation that defines the field that I'm looking for is set to "Sharing: App" in the settings page. I'm not sure if that means global, but the best permissions I can set are "everyone can read it". I can attempt to contact our admin with specific "set this to global" instructions if I can find them.

I tried adding service.setNamespace to the application namespace that the field is defined in, it changed nothing.

Edit: Just tried running the same query over the REST API (/search/jobs endpoint) and got back populated results, so I'm assuming it's not permissions and is rather an issue with how I'm using the code.
I also tried "To run a normal search and poll for completion" section from http://dev.splunk.com/view/java-sdk/SP-CAAAEHQ
which seems to be the closest thing in the Java SDK, and am getting the same results as previously mentioned.

rfujara_splunk · ‎02-01-2016

To me, this sounds like you are not running the search within the same application context.

Either set the permissions for the "response_time" field extraction to global or make sure to set the search context to the correct application for both searches (web UI and Java SDK).

That should solve your problem.

View solution in original post

rfujara_splunk · ‎02-01-2016

To me, this sounds like you are not running the search within the same application context.

Either set the permissions for the "response_time" field extraction to global or make sure to set the search context to the correct application for both searches (web UI and Java SDK).

That should solve your problem.

EricWehrly · ‎02-01-2016

Setting the search context was a little tricky.

It appears as though by default, any searches are executed as though in the splunk "search" application (/search/search in the rest API or web GUI).

The context must be changed during initialization of the service object.
There is a method which takes a ServiceArgs object, and a method which takes a Map of String, Object. Even though the ServiceArgs one has explicit statements like "setHost", and fits the scheme of the rest of the API, it's marked as deprecated. Looking at the Map-based constructor provides all of the items it will digest. In order to set the app context, it was necessary for me to put the following keys:
app, host, port.

somesoni2 · ‎01-29-2016

Can you try renaming the field in stats and try? Something like this

 index="[my_index]" sourcetype="[my_index]" | stats avg(response_time) as avg_response_time by host

EricWehrly · ‎01-29-2016

Yup, tried that. It changed the field names in the response header, but the result elements still only had host.

rfujara_splunk · ‎01-29-2016

Thanks for posting the search string!

Could you also describe the result you get and also the result you expected to get?

rfujara_splunk · ‎01-29-2016

Could you post your source code, describe what results you get back and also describe what results you expect to get back?

EricWehrly · ‎01-29-2016

For SDK code, I've been trying just about every example on the CAAAEHQ page. I have tried one-shot and export searches off of the service object, tweaking every parameter I could find.

Currently, I'm attempting the following:

private InputStream getSearchResults()
{
String searchQuery_normal = "search index=\"[our_index]\"
source=\"[our_source]\" | stats
avg(response_time) AS avg_resp_time by
host | fields host, avg_resp_time ";
JobArgs jobargs = new JobArgs();
// jobargs.setExecutionMode(JobArgs.ExecutionMode.NORMAL);
jobargs.put("earliest_time", "-1h@h");
jobargs.put("latest_time", "now");
jobargs.setExecutionMode(JobArgs.ExecutionMode.BLOCKING);
Job job = service.getJobs().create(searchQuery_normal,
jobargs);
while (!job.isDone()) {
try {
Thread.sleep(500);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
System.out.println("Search job ID: " + job.getSid());
return job.getResults();

If I curl the following URL, I get back a SID from the REST API:

https://[ouraccount].splunkcloud.com:8089/servicesNS/[myusername]/atc_apps/search/jobs -d search="search index=[our_index] sourcetype=[our_sourcetype] earliest=\"-1h@h\" latest=\"now\" | stats avg(response_time) by host"

Using the REST API to compare responses, with the first SID, I get back XML response elements that contain a single field tag with a k value of host. With the latter SID, I get response elements that contain the desired two field tags; one host, and one avg(response_time)

Java SDK: Why am I only getting one field with stats?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes