|
What can I do to limit search results for one or more sourcetypes. I am able to get the results through the Splunkweb UI but I need to get the same set of results from a command line as well. My sourcetype name is BIC_CS. curl -u username:password -k https://hostname:8089/services/search/jobs -d "search=search sourcetype=BIC_CS" When I create this search job, it results in 0 events whereas from UI, I get all events in this sourcetype. Any help will be greatly appreciated! Thanks |
|
Have you tried: That's probably the easiest way. For more info run: You can also run a search in "oneshot" mode and return the results directly. The results will be returned in an XML format (which isn't all that easy to parse with standard command line tools, but I think that's your only option in "oneshot" mode.) This example searches from Notice that you have to encode any "
If you don't have command line access to the server, then I would suggest using one of the existing splunk-search client packages that already exist. You can certainly write your own (which I've done for a high-level integration platform that had the necessary HTTP and XML handling capabilities built in), or do some shell scripting with If you don't have much programming experience, than I would recommend getting started with the Python search SDK. First because it pretty easy language to learn and teaches good programming practices. And secondly because splunk uses it internally (and it is therefore well tested an up to date) and you may find it coming in handy down the road with other splunk integration tasks. Documentation resources:
Unfortunately, in your situation there are a few extra gotchas because you would need to use the python SDK remotely. (Of course, you could simply install a local copy of splunk, and just don't run it, but that seems a little silly.) I feel like there should be a good answer to this question, so I've asked How to install the Python SDK on a remote machine? Hopefully someone will provide some easier instructions on setting this up. yeap, that should do it!
(28 May '10, 22:37)
Genti ♦
Here is a copy paste from Developer Manual from Splunk. It gives an example of searching for *. Create a search job by POSTing to the search/jobs/ endpoint. Set your search as the POST payload. For example: curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d"search=search *" Now when I need to limit the search results to a specific sourcetype, how should I write the same query? The name of the sourcetype is BIC_CS. I don't have access to Splunk CIL and I need to run this command line query remotely. Thanks Sandy
(01 Jun '10, 13:47)
sandy1978
Lowell, Thanks a lot for helping me figure out the issue with URLencoding. This tells me how long it's been since I did any serious coding!
(02 Jun '10, 15:25)
sandy1978
|
