I am writing a series of programs to make regular calls to the Splunk server and quickly sort the results of a search. The only language I use is Java, specifically the Eclipse IDE. I have the Splunk SDK downloaded and installed and added successfully to my Eclipse project. I have successfully connected to splunk using my credentials.
My goal is to access the splunk dashboard and retrieve all the events that result from a specific search, returning them as Strings or else in a .txt file. I have read the documentation extensively and tried several solutions including service.export and MultiResultsReaderXml but neither seem speedy enough for my desires and neither seems to produce the Strings I need, namely the specific words of the Events from the search. Both seem like they would have to run for hours just to run a query on a one second time frame. I need to be able to search at least an hour. Since the beginning of time would be even better.
The rest of the program is designed to use the text shown in the Splunk events, and should work once I have this last piece. Whether there is a quicker way or not, please let me know.
Thanks!
So, it turns out the easiest way to grab data is just to do a straight out search. Use the .export command in java and then, in the parenthesis type exactly the same search you put into Splunk, but type "search " in front with a space after it. This will give an overall search. To search for a specific time range, add "earliest=-" followed by the time range (like 1h for one hour or 15s for fifteen seconds), without the quotes, of course. This takes the search from about 3 hours to about 6 seconds, a very nice 180,000% increase in performance!
@ppablo_splunk Hi, I have the same requirement and followed the same but somehow i am unable to do the export search. Could you please help me in it.
So, it turns out the easiest way to grab data is just to do a straight out search. Use the .export command in java and then, in the parenthesis type exactly the same search you put into Splunk, but type "search " in front with a space after it. This will give an overall search. To search for a specific time range, add "earliest=-" followed by the time range (like 1h for one hour or 15s for fifteen seconds), without the quotes, of course. This takes the search from about 3 hours to about 6 seconds, a very nice 180,000% increase in performance!