Getting Data In

Java API query syntax failure


I''m using Splunk 6.6.3, Java API, Java 1.8.0_45, IntelliJ IDE.

I'm making part of a simple application that checks that a given system is actively logging, where the sourceType, hostname, and minutes back from present are being read from a database and become part of the query.

An equivalent search query that works as expected in Splunk GUI, with time set as "Last 60 minutes" would be:

sourcetype=WinEventLog:Security host=abcxyz | head 1

I'm working from the examples provided, but none seem to show multiple arguments i.e. sourcetype, host, time range. In the code below, if I set:

String mySearch = "search host="+ lsb.getSystem() + " "; // just a host String

It will work for at least some hosts.

If I try to add the sourcetype, all will fail:

String mySearch = "search sourcetype=WinEventLog:Security host="+ lsb.getSystem() + " ";

Note: In the code below, the method minutesBackString() returns a String like: "2018-03-27T12:53:46.626-04:00"

Can someone suggest a combination that will give the equivalent result of the GUI search? Ideally I would specify the field list, but I can get by without that. Any suggestions very much appreciated. Please Ignore the boolean return for now - it will be dependent on the content returned by the query.

private boolean oneSystem(LoggingSystemBean lsb) {

    boolean retval = false;

    String mySearch = "search sourcetype=WinEventLog:Security host="+ lsb.getSystem() + " "; // lsb.system is String
    JobArgs jobargs = new JobArgs();

    Job job = service.getJobs().create(mySearch, jobargs);

    try {
        while ( !job.isDone() ) {

    } catch (InterruptedException ie) {

    // Display results
    InputStream results = job.getResults();
    String line = null;
    try {
        BufferedReader br = new BufferedReader(new InputStreamReader(results, "UTF-8"));
        while ( (line = br.readLine()) != null ) {


    } catch (Exception ex) {

        errLog.severe(ex.getMessage() + "\n" + ExceptionUtils.getStackTrace(ex));
    return (retval);


0 Karma



Could you please do the following
1) please check if the particular host log coming to mentioned sourcetype
2)please put only sourcetype in the java search as follow
Search sourcetype=WinEventLog:Security | stats count by host

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...