Splunk Search
Highlighted

Using the Rest API endpoint, how do i know if a search Completed successfully or errored out?

Splunk Employee
Splunk Employee

So reading the documentation on http://www.splunk.com/base/Documentation/latest/Developer/RESTSearch#Search_ID it seems that there is a flag/attribute for when a search has completed.

isDone = 0 | 1    
    * Is the search finished? 

But how can i tell if the search completed successfully or not? Is the isDone =1 true for a failed search as well as a successful search?

0 Karma
Highlighted

Re: Using the Rest API endpoint, how do i know if a search Completed successfully or errored out?

Splunk Employee
Splunk Employee

Just tested this.
If i run a search that completes successfully i get the:

isDone = 0 | 1
    * Is the search finished? 

However the same key is set when a search is also not successful, ie. fails. However, when this happens another attribute can be helpful and tell me that the search actually failed:

  isDone     1  
  isFailed   1

Moreover under the messages attribute you should see an error message such as:

messages    
  fatal     
   1. Error in 'eval' command: The operator at '\0' is invalid.

Hope this helps others out there
Cheers,
.gz

View solution in original post

Highlighted

Re: Using the Rest API endpoint, how do i know if a search Completed successfully or errored out?

Path Finder

An easy way to produce a failed job:

curl -u user:password -k https://localhost:8089/services/search/jobs -d'search=| eval x'

(some types of errors fail before even turning into a job)

0 Karma