Refine your search:

Can an API search cause Splunk to hang?

2

Hello,

we are using currently Splunk 3.4.4. and trying to commit a search via the REST API.

Our problem is that if we are using the term:

SearchJob job = smgr.dispatchAndWait(jp);

it causes Splunk to stop working properly. Login is not possible anymore then to the web interface, data is not getting indexed, the system is basically "halting".

Here is the Code we are using:

String hostUrl = "";
String query = "error | head 10";
BasicConfigurator.configure();

SplunkClient client = new SplunkClient(hostUrl);
client.login(user, password);

SearchManager smgr = client.getSearchManager();
JobParameters jp = new JobParameters();
jp.Search = query;

Calendar c = Calendar.getInstance();
c.set(Calendar.HOUR_OF_DAY, 0);
c.set(Calendar.MINUTE, 0);
c.set(Calendar.SECOND, 0);
c.set(Calendar.MILLISECOND, 0);
c.set(Calendar.DAY_OF_WEEK, Calendar.SUNDAY);
jp.setEarliestTime(c.getTime());
c.set(Calendar.DAY_OF_WEEK, Calendar.SATURDAY);
jp.setLatestTime(c.getTime());

SearchJob job = smgr.dispatchAndWait(jp);

CookedParameters cp = new CookedParameters();
List<String> fields = new ArrayList<String>();
fields.add("_raw");
fields.add("_time");
cp.FieldList = fields;

cp.Count = 100;
JsonArray jsa = job.getCookedResultsJSON(cp);
System.out.println(jsa);

if( jsa.size() > 5 )

System.out.println(jsa.get(5).getAsJsonObject().get("_raw"));

// Dismiss the search job to free resources
job.controlJob("cancel", "");

What is it that we are doing wrong?

asked 31 Dec '09, 17:39

tpaulsen's gravatar image

tpaulsen
1201219
accept rate: 6%

edited 20 Jan '10, 03:08

benstraw's gravatar image

benstraw
7151418
One Answer:
oldestnewestmost voted
4

The Java SDK wasn't tested to work with Splunk 3.x so although in general it should be compatible, it might have some quirks.

The best way to debug is to see the logs produced by the sdk (it prints them to stdout by default)

Second, as you figured that Splunk hangs while executing dispatchAndWait, I'd recommend to set smgr.setMaxAttempts(int maxAttempts) to some non-zero value - right now it's being set for unlimited polling attempts by default.

If that doesn't help, I'd check splunkd.log for error messages and crash* files inside /var/log/splunk if there are any.

link

answered 13 Jan '10, 01:24

Leo's gravatar image

Leo ♦
1.1k1313
accept rate: 43%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,640
×128
×26
×4

Asked: 31 Dec '09, 17:39

Seen: 1,113 times

Last updated: 20 Jan '10, 03:08

Related questions

Problems using the REST API to search

REST API Python - Issue with pulling results before search job is done.

Searching an chronic API

Rest api add parameters to a saved search

Issues with API using curl - "Method not allowed"

Receiving an HTTP 303 (See Other) response from Splunk Server using the API

REST API Specific Search

Getting Search Results using Java REST API

Copyright © 2005-2012 Splunk Inc. All rights reserved.