Splunk Search

splunk API from browser

vasanthi77
Explorer

Hi all ,

I am using below url to get data from splunk

https://hostname:8089/v7/services/search/jobs/export?output_mode=json&search=search * | stats max(_time) AS _time BY "pctIdle" | sort 0 - _time | head 1|rename "pctIdle" AS Value |eval formatted=strftime(_time,"%25Y-%25m-%25d %25H:%25M:%25S%25z")

which is giving output continuously , even though i have mentioned head 1.

below is the actual query which gives one row.

* | stats max(_time) AS _time BY "pctIdle" | sort 0 - _time | head 1|rename "pctIdle" AS Value |eval formatted=strftime(_time,"%Y-%m-%d %H:%M:%S%z"

How do i achieve same from browser.

Tags (1)
0 Karma

drfk
New Member

This is expected behaviour as is documented here for the search/jobs/export endpoint:
"Stream search results as they become available."
https://docs.splunk.com/Documentation/Splunk/7.3.1/RESTREF/RESTsearch#search.2Fjobs.2Fexport

To get only a single result (i.e. not streaming), you could send a POST-request to the search/jobs endpoint. However, afaik this is not easily done in a browser.

0 Karma

vasanthi77
Explorer

@drfk Can i post using browser

0 Karma

drfk
New Member

There seem to be plugins for browsers that can do that, especially for testing REST APIs. However, you can better search for what you need yourself, as I wouldn't know any more about that.

0 Karma

jawaharas
Motivator

The issue is not replicable in Splunk 7.2. Which version of Splunk you are using?

0 Karma

vasanthi77
Explorer

@jawaharas I m using 7.2.7. I m getting continuous output like this , Is not the same case for you?

 {"preview":true,"offset":0,"lastrow":true,"result":{"Value":"51.00","_time":"2019-09-02 14:08:56.000 AEST"}}
 {"preview":true,"offset":0,"lastrow":true,"result":{"Value":"51.00","_time":"2019-09-02 14:08:56.000 AEST"}}
 {"preview":true,"offset":0,"lastrow":true,"result":{"Value":"51.00","_time":"2019-09-02 14:08:56.000 AEST"}}
 {"preview":true,"offset":0,"lastrow":true,"result":{"Value":"51.00","_time":"2019-09-02 14:08:56.000 AEST"}}
 {"preview":true,"offset":0,"lastrow":true,"result":{"Value":"51.00","_time":"2019-09-02 14:08:56.000 AEST"}}
 {"preview":true,"offset":0,"lastrow":true,"result":{"Value":"51.00","_time":"2019-09-02 14:08:56.000 AEST"}}
 {"preview":true,"offset":0,"lastrow":true,"result":{"Value":"100.00","_time":"2019-09-02 14:08:56.000 AEST"}}
 {"preview":true,"offset":0,"lastrow":true,"result":{"Value":"100.00","_time":"2019-09-02 14:08:56.000 AEST"}}
 {"preview":true,"offset":0,"lastrow":true,"result":{"Value":"100.00","_time":"2019-09-02 14:08:56.000 AEST"}}
 {"preview":false,"offset":0,"lastrow":true,"result":{"Value":"100.00","_time":"2019-09-02 14:08:56.000 AEST"}}
0 Karma
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...