Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rest API Search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i run a post search method, it returns a sid. How would i come to know that the search is complete and that when i make a get call i would be able to fetch the resutls, i saw something as search_listener but wasnt able to understand, both post and get are being done through a java program.
Also i know that by using exec_mode : oneshot i can retrieve the results in the post call only but what if post and get are to be done separately?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You write a function that returns false if the job is complete and true if it is not.
then you call the function in a while loop.
while jobRunning(sid):
sleep(1)
code when job is complete here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want have separate calls to create search and fetch the results please follow the below steps.
- Create Search
curl -u username:passwd -k https://hostname:8089/services/search/jobs -d search="search *"
This return xml response with sid. You need to use the sid to get the status of the job
- Checkout status of search
curl -u username:passwd -k https://hostname:8089/services/search/jobs/1258421375.19
you should receive one of the following response
QUEUED
PARSING
RUNNING
PAUSED
FINALIZING
FAILED
DONE
If you receive a "DONE" response you can fetch the results using the below REST call
- Get search results
curl -u username:passwd -k https://hostname:8089/services/search/jobs/1258421375.19/results/ --get -d output_mode=csv
Refer this documentation for more info
https://docs.splunk.com/Documentation/Splunk/8.0.5/RESTTUT/RESTsearches#Example:_Create_a_search
Hope this helps!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But what if i want to write these 3 commands in a code, should i use a while loop to retrieve the status of the search till it gets "DONE"/"FAILED"? Is there any other alternative
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You write a function that returns false if the job is complete and true if it is not.
then you call the function in a while loop.
while jobRunning(sid):
sleep(1)
code when job is complete here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://community.splunk.com/t5/Splunk-Search/REST-API-Incomplete-Results/td-p/509829
I am getting inconsistent search results even through this method. Can you help me here?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
