/// <summary>
/// Submit a job to Splunk to be scheduled immediately.
/// </summary>
/// <param name="job">Job object containing details of the search job.</param>
/// <returns>Returns the string containing the Splunk job identifier.</returns>
public string SubmitJob(SplunkDataQuery job)
{
string path = "/services/search/jobs";
ServerRequest request = new ServerRequest(path, ServerRequest.HttpMethod.POST);
request.Args.Add(new KeyValuePair <string, string>("search", job.Value));
request.Args.Add(new KeyValuePair <string, string>("earliest_time", string.Format("{0}.000+00:00", job.EarliestTime.ToUniversalTime().ToString("s"))));
request.Args.Add(new KeyValuePair <string, string>("latest_time", string.Format("{0}.000+00:00", job.LatestTime.ToUniversalTime().ToString("s"))));
request.Args.Add(new KeyValuePair <string, string>("max_count", MaxCount.ToString()));
request.Args.Add(new KeyValuePair <string, string>("timeout", SearchJobTtl.ToString()));
ServerResponse response = this.Send(request);
var doc = new XmlDocument();
doc.LoadXml(response.Content);
string sid;
try
{
sid = doc.SelectSingleNode("/response/sid").InnerText;
}
catch (Exception)
{
throw new Exception(String.Format("Something went wrong while submitting the search to Splunk. The Splunk API returned:\n{0}", response.Content));
}
return(sid);
}
public string GetJobResults(SplunkDataQuery job, OutputMode mode)
{
string path = string.Format("{0}/{1}/{2}", "/services/search/jobs", job.RemoteId, "results");
ServerRequest request = new ServerRequest(path, ServerRequest.HttpMethod.GET);
//Set count to 0 to get all rows
request.Args.Add(new KeyValuePair <string, string>("count", "0"));
request.Args.Add(new KeyValuePair <string, string>("output_mode", mode.ToString()));
ServerResponse response = this.Send(request);
if (response.Status == 204)
{
return(null);
}
else
{
return(response.Content);
}
}
/// <summary>
/// Runs a new query against the current DataSource's Splunk instance
/// </summary>
/// <param name="key">The name of the Search/Job. It does not need to be globally unique.</param>
/// <param name="value">The Splunk Processing Language (SPL) for the search query.</param>
/// <param name="earliestTime">
/// The earliest event time in Splunk time format. eg. -1d@d or %m/%d/%Y:%H:%M:%S
/// See http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Specifytimemodifiersinyoursearch
/// </param>
/// <param name="latestTime">
/// The latest event time in Splunk time format. eg. @d or %m/%d/%Y:%H:%M:%S
/// See http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Specifytimemodifiersinyoursearch
/// </param>
/// <returns>SplunkQuery object to manage the Splunk search query job and results. </returns>
public IDataQuery Query(string key, string value, DateTime earliestTime, DateTime latestTime)
{
var result = new SplunkDataQuery(key, value, Service, earliestTime, latestTime);
return(result);
}
