Solved: Re: search using the Splunk API to get back a sing...

vasanthi77 · ‎09-05-2019

can we run a search using the Splunk API to get back a single result(not streaming) without using a saved search or SID?

I tried export like below which is giving streamed output, i want single result

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json

I tried post like this , giving me SID( i dont wnt to use SID r saved search )

curl -k -u admin:admin https://searchhead:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search * | stats max(_time) AS _time BY "pctIdle" | sort 0 - _time | head 1|rename "pctIdle" AS Value " -d id=mysearch_0215194643 -d max_count=50000 -d status_buckets=300

Any other way to get results with out SID r saved search?

harsmarvania57 · ‎09-05-2019

Hi,

You can achieve this with your first search

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json

but the problem is you didn't mention any time frame in your search and due to that it will search All Time and by default preview=true so it will preview result constantly as splunk is searching more data.

So you can try below command , in which you can specify earliest_time and latest_time& disable preview.

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json -d preview=false -d earliest_time=-15m -d latest_time=now

View solution in original post

harsmarvania57 · ‎09-05-2019

Hi,

You can achieve this with your first search

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json

but the problem is you didn't mention any time frame in your search and due to that it will search All Time and by default preview=true so it will preview result constantly as splunk is searching more data.

So you can try below command , in which you can specify earliest_time and latest_time& disable preview.

curl -k -u admin:admin https://searchhead:8089/services/search/jobs/export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json -d preview=false -d earliest_time=-15m -d latest_time=now

vasanthi77 · ‎09-05-2019

@harsmarvania57 getting this error response

  <response>
  <messages>
  <msg type="FATAL">
  Invalid sid: export -d search="search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value" -d output_mode=json -d preview=false -d earliest_time=-15m -d latest_time=now
  </msg>
  </messages>
  </response>

vasanthi77 · ‎09-05-2019

@harsmarvania57 Thanks for responding. It working as expected .

https://search head:8089/services/search/jobs/export?search=search *| stats max(_time) AS _time BY "pctIdle" | head 1|sort 0 - _time | rename "pctIdle" AS Value&preview=false&earliest_time=-2m&latest_time=now&output_mode=json

harsmarvania57 · ‎09-06-2019

Glad that it worked.

search using the Splunk API to get back a single result(not streaming) without using a saved search or SID?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)