Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search using the Splunk API to get back a single result(not streaming) without using a saved search or SID?

vasanthi77
Explorer
‎09-05-2019 06:16 AM

can we run a search using the Splunk API to get back a single result(not streaming) without using a saved search or SID?

I tried export like below which is giving streamed output, i want single result

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json

I tried post like this , giving me SID( i dont wnt to use SID r saved search )

curl -k -u admin:admin https://searchhead:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search * | stats max(_time) AS _time BY "pctIdle" | sort 0 - _time | head 1|rename "pctIdle" AS Value " -d id=mysearch_0215194643 -d max_count=50000 -d status_buckets=300

Any other way to get results with out SID r saved search?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎09-05-2019 08:02 AM

Hi,

You can achieve this with your first search

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json

but the problem is you didn't mention any time frame in your search and due to that it will search All Time and by default preview=true so it will preview result constantly as splunk is searching more data.

So you can try below command , in which you can specify earliest_time and latest_time& disable preview.

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json -d preview=false -d earliest_time=-15m -d latest_time=now

View solution in original post

Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎09-05-2019 08:02 AM

Hi,

You can achieve this with your first search

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json

but the problem is you didn't mention any time frame in your search and due to that it will search All Time and by default preview=true so it will preview result constantly as splunk is searching more data.

So you can try below command , in which you can specify earliest_time and latest_time& disable preview.

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json -d preview=false -d earliest_time=-15m -d latest_time=now
Reply
Solved! Jump to solution

vasanthi77
Explorer
‎09-05-2019 04:46 PM

@harsmarvania57 getting this error response

  <response>
  <messages>
  <msg type="FATAL">
  Invalid sid: export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json -d preview=false -d earliest_time=-15m -d latest_time=now
  </msg>
  </messages>
  </response>
0 Karma
Reply
Solved! Jump to solution

vasanthi77
Explorer
‎09-05-2019 06:50 PM

@harsmarvania57 Thanks for responding. It working as expected .

https://search head:8089/services/search/jobs/export?search=search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value&preview=false&earliest_time=-2m&latest_time=now&output_mode=json

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎09-06-2019 01:35 AM

Glad that it worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...