Splunk Search

Rest API Search

vvvinamer
Engager

If i run a post search method, it returns a sid. How would i come to know that the search is complete and that when i make a get call i would be able to fetch the resutls, i saw something as search_listener but wasnt able to understand, both post and get are being done through a java program.

Also i know that by using exec_mode : oneshot i can retrieve the results in the post call only but what if post and get are to be done separately?

 

Labels (2)
Tags (2)
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

You write a function that returns false if the job is complete and true if it is not.

then you call the function in a while loop.


while jobRunning(sid):

     sleep(1)

code when job is complete here

View solution in original post

0 Karma

anilchaithu
Builder

@vvvinamer 

If you want have separate calls to create search and fetch the results please follow the below steps. 

  • Create Search

 

curl -u username:passwd -k https://hostname:8089/services/search/jobs -d search="search *"

 

This return xml response with sid. You need to use the sid to get the status of the job

  • Checkout status of search

 

curl -u username:passwd -k https://hostname:8089/services/search/jobs/1258421375.19 

 

you should receive one of the following response

 

   QUEUED 
   PARSING 
   RUNNING 
   PAUSED 
   FINALIZING 
   FAILED 
   DONE 

 

If you receive a "DONE" response you can fetch the results using the below REST call

  • Get search results

 

curl -u username:passwd -k https://hostname:8089/services/search/jobs/1258421375.19/results/ --get -d output_mode=csv

 

Refer this documentation for more info

https://docs.splunk.com/Documentation/Splunk/8.0.5/RESTTUT/RESTsearches#Example:_Create_a_search

 

Hope this helps!!!

vvvinamer
Engager

But what if i want to write these 3 commands in a code, should i use a while loop to retrieve the status of the search till it gets "DONE"/"FAILED"? Is there any other alternative

0 Karma

jkat54
SplunkTrust
SplunkTrust

You write a function that returns false if the job is complete and true if it is not.

then you call the function in a while loop.


while jobRunning(sid):

     sleep(1)

code when job is complete here

0 Karma

vvvinamer
Engager

https://community.splunk.com/t5/Splunk-Search/REST-API-Incomplete-Results/td-p/509829

I am getting inconsistent search results even through this method. Can you help me here?

 

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...