Splunk Search

What is the fastest way to turn Splunk search results into analyzable text using Java Eclipse?

DreadEclipse
Explorer

I am writing a series of programs to make regular calls to the Splunk server and quickly sort the results of a search. The only language I use is Java, specifically the Eclipse IDE. I have the Splunk SDK downloaded and installed and added successfully to my Eclipse project. I have successfully connected to splunk using my credentials.

My goal is to access the splunk dashboard and retrieve all the events that result from a specific search, returning them as Strings or else in a .txt file. I have read the documentation extensively and tried several solutions including service.export and MultiResultsReaderXml but neither seem speedy enough for my desires and neither seems to produce the Strings I need, namely the specific words of the Events from the search. Both seem like they would have to run for hours just to run a query on a one second time frame. I need to be able to search at least an hour. Since the beginning of time would be even better.

The rest of the program is designed to use the text shown in the Splunk events, and should work once I have this last piece. Whether there is a quicker way or not, please let me know.

Thanks!

0 Karma
1 Solution

DreadEclipse
Explorer

So, it turns out the easiest way to grab data is just to do a straight out search. Use the .export command in java and then, in the parenthesis type exactly the same search you put into Splunk, but type "search " in front with a space after it. This will give an overall search. To search for a specific time range, add "earliest=-" followed by the time range (like 1h for one hour or 15s for fifteen seconds), without the quotes, of course. This takes the search from about 3 hours to about 6 seconds, a very nice 180,000% increase in performance!

View solution in original post

0 Karma

harikag
New Member

@ppablo_splunk Hi, I have the same requirement and followed the same but somehow i am unable to do the export search. Could you please help me in it.

0 Karma

DreadEclipse
Explorer

So, it turns out the easiest way to grab data is just to do a straight out search. Use the .export command in java and then, in the parenthesis type exactly the same search you put into Splunk, but type "search " in front with a space after it. This will give an overall search. To search for a specific time range, add "earliest=-" followed by the time range (like 1h for one hour or 15s for fifteen seconds), without the quotes, of course. This takes the search from about 3 hours to about 6 seconds, a very nice 180,000% increase in performance!

0 Karma
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...