Splunk Search

Java SDK: Why am I only getting one field with stats?

Engager

I'm attempting to run the following search using the Splunk Java SDK:

index="[my_index]" sourcetype="[my_index]" | stats avg(response_time) by host

Of course, this gives me back my nice pretty response when run in the web GUI, but in the SDK, I get an entry for each host, but hardly any mention of the other field.
I've tried adding |head and |fields * and | fields avg(response_time), host (that one actually changed the response string that comes back and gave me a new order. yay), as well as adding response_time > 0 to the end of the search string (winds up bringing back nothing for reasons I can't understand).

I've looked at several other links that I can't link because you guys apparently don't accept reddit karma. But there were a bunch of suggested links when I made the title, and they were all purple.

The field transformation that defines the field that I'm looking for is set to "Sharing: App" in the settings page. I'm not sure if that means global, but the best permissions I can set are "everyone can read it". I can attempt to contact our admin with specific "set this to global" instructions if I can find them.

I tried adding service.setNamespace to the application namespace that the field is defined in, it changed nothing.

Edit: Just tried running the same query over the REST API (/search/jobs endpoint) and got back populated results, so I'm assuming it's not permissions and is rather an issue with how I'm using the code.
I also tried "To run a normal search and poll for completion" section from http://dev.splunk.com/view/java-sdk/SP-CAAAEHQ
which seems to be the closest thing in the Java SDK, and am getting the same results as previously mentioned.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

To me, this sounds like you are not running the search within the same application context.

Either set the permissions for the "response_time" field extraction to global or make sure to set the search context to the correct application for both searches (web UI and Java SDK).

That should solve your problem.

View solution in original post

Splunk Employee
Splunk Employee

To me, this sounds like you are not running the search within the same application context.

Either set the permissions for the "response_time" field extraction to global or make sure to set the search context to the correct application for both searches (web UI and Java SDK).

That should solve your problem.

View solution in original post

Engager

Setting the search context was a little tricky.

It appears as though by default, any searches are executed as though in the splunk "search" application (/search/search in the rest API or web GUI).

The context must be changed during initialization of the service object.
There is a method which takes a ServiceArgs object, and a method which takes a Map of String, Object. Even though the ServiceArgs one has explicit statements like "setHost", and fits the scheme of the rest of the API, it's marked as deprecated. Looking at the Map-based constructor provides all of the items it will digest. In order to set the app context, it was necessary for me to put the following keys:
app, host, port.

0 Karma

SplunkTrust
SplunkTrust

Can you try renaming the field in stats and try? Something like this

 index="[my_index]" sourcetype="[my_index]" | stats avg(response_time) as avg_response_time by host
0 Karma

Engager

Yup, tried that. It changed the field names in the response header, but the result elements still only had host.

0 Karma

Splunk Employee
Splunk Employee

Thanks for posting the search string!

Could you also describe the result you get and also the result you expected to get?

0 Karma

Splunk Employee
Splunk Employee

Could you post your source code, describe what results you get back and also describe what results you expect to get back?

0 Karma

Engager

For SDK code, I've been trying just about every example on the CAAAEHQ page. I have tried one-shot and export searches off of the service object, tweaking every parameter I could find.

Currently, I'm attempting the following:

private InputStream getSearchResults()
{
String searchQuerynormal = "search index=\"[ourindex]\"
source=\"[our_source]\" | stats
avg(responsetime) AS avgresptime by
host | fields host, avg
resptime ";
JobArgs jobargs = new JobArgs();
// jobargs.setExecutionMode(JobArgs.ExecutionMode.NORMAL);
jobargs.put("earliest
time", "-1h@h");
jobargs.put("latesttime", "now");
jobargs.setExecutionMode(JobArgs.ExecutionMode.BLOCKING);
Job job = service.getJobs().create(searchQuery
normal,
jobargs);
while (!job.isDone()) {
try {
Thread.sleep(500);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
System.out.println("Search job ID: " + job.getSid());
return job.getResults();

If I curl the following URL, I get back a SID from the REST API:

https://[ouraccount].splunkcloud.com:8089/servicesNS/[myusername]/atcapps/search/jobs -d search="search index=[ourindex] sourcetype=[oursourcetype] earliest=\"-1h@h\" latest=\"now\" | stats avg(responsetime) by host"

Using the REST API to compare responses, with the first SID, I get back XML response elements that contain a single field tag with a k value of host. With the latter SID, I get response elements that contain the desired two field tags; one host, and one avg(response_time)

0 Karma