/// <summary> /// Submit a job to Splunk to be scheduled immediately. /// </summary> /// <param name="job">Job object containing details of the search job.</param> /// <returns>Returns the string containing the Splunk job identifier.</returns> public string SubmitJob(SplunkDataQuery job) { string path = "/services/search/jobs"; ServerRequest request = new ServerRequest(path, ServerRequest.HttpMethod.POST); request.Args.Add(new KeyValuePair <string, string>("search", job.Value)); request.Args.Add(new KeyValuePair <string, string>("earliest_time", string.Format("{0}.000+00:00", job.EarliestTime.ToUniversalTime().ToString("s")))); request.Args.Add(new KeyValuePair <string, string>("latest_time", string.Format("{0}.000+00:00", job.LatestTime.ToUniversalTime().ToString("s")))); request.Args.Add(new KeyValuePair <string, string>("max_count", MaxCount.ToString())); request.Args.Add(new KeyValuePair <string, string>("timeout", SearchJobTtl.ToString())); ServerResponse response = this.Send(request); var doc = new XmlDocument(); doc.LoadXml(response.Content); string sid; try { sid = doc.SelectSingleNode("/response/sid").InnerText; } catch (Exception) { throw new Exception(String.Format("Something went wrong while submitting the search to Splunk. The Splunk API returned:\n{0}", response.Content)); } return(sid); }
public string GetJobResults(SplunkDataQuery job, OutputMode mode) { string path = string.Format("{0}/{1}/{2}", "/services/search/jobs", job.RemoteId, "results"); ServerRequest request = new ServerRequest(path, ServerRequest.HttpMethod.GET); //Set count to 0 to get all rows request.Args.Add(new KeyValuePair <string, string>("count", "0")); request.Args.Add(new KeyValuePair <string, string>("output_mode", mode.ToString())); ServerResponse response = this.Send(request); if (response.Status == 204) { return(null); } else { return(response.Content); } }
/// <summary> /// Runs a new query against the current DataSource's Splunk instance /// </summary> /// <param name="key">The name of the Search/Job. It does not need to be globally unique.</param> /// <param name="value">The Splunk Processing Language (SPL) for the search query.</param> /// <param name="earliestTime"> /// The earliest event time in Splunk time format. eg. -1d@d or %m/%d/%Y:%H:%M:%S /// See http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Specifytimemodifiersinyoursearch /// </param> /// <param name="latestTime"> /// The latest event time in Splunk time format. eg. @d or %m/%d/%Y:%H:%M:%S /// See http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Specifytimemodifiersinyoursearch /// </param> /// <returns>SplunkQuery object to manage the Splunk search query job and results. </returns> public IDataQuery Query(string key, string value, DateTime earliestTime, DateTime latestTime) { var result = new SplunkDataQuery(key, value, Service, earliestTime, latestTime); return(result); }