What can I do to limit search results for one or more sourcetypes.
I am able to get the results through the Splunkweb UI but I need to get the same set of results from a command line as well. My sourcetype name is BIC_CS.
curl -u username:password -k https://hostname:8089/services/search/jobs -d "search=search sourcetype=BIC_CS"
When I create this search job, it results in 0 events whereas from UI, I get all events in this sourcetype.
Any help will be greatly appreciated!
asked 28 May '10, 20:31
Have you tried:
That's probably the easiest way. For more info run:
You can also run a search in "oneshot" mode and return the results directly. The results will be returned in an XML format (which isn't all that easy to parse with standard command line tools, but I think that's your only option in "oneshot" mode.) This example searches from
Notice that you have to encode any "
If you don't have command line access to the server, then I would suggest using one of the existing splunk-search client packages that already exist. You can certainly write your own (which I've done for a high-level integration platform that had the necessary HTTP and XML handling capabilities built in), or do some shell scripting with
If you don't have much programming experience, than I would recommend getting started with the Python search SDK. First because it pretty easy language to learn and teaches good programming practices. And secondly because splunk uses it internally (and it is therefore well tested an up to date) and you may find it coming in handy down the road with other splunk integration tasks.
Unfortunately, in your situation there are a few extra gotchas because you would need to use the python SDK remotely. (Of course, you could simply install a local copy of splunk, and just don't run it, but that seems a little silly.) I feel like there should be a good answer to this question, so I've asked How to install the Python SDK on a remote machine? Hopefully someone will provide some easier instructions on setting this up.