Splunk Search

Overview

Read-type Snap
Works in Ultra Pipelines

You can use this Snap to execute a search query and retrieve data from Splunk using the Splunk REST API.

Prerequisites

None.

Limitations and Known Issues

None.

Snap Views


View	Description	Examples of Upstream and Downstream Snaps
Input	Any Snap with a document output view can be connected upstream.The Snap does not require input data. Input documents may be used to evaluate any JavaScript expression in the properties. Upstream Snap is optional.	Mapper
Output	The Snap provides the document data stream for the search result.The search result received from Splunk is in XML format. The Snap parses this XML data and produces a stream of documents at the output view. Learn more about Splunk Search Output.	Mapper CSV Formatter
Error	Error handling is a generic way to handle errors without losing data or failing the Snap execution. You can handle the errors that the Snap might encounter when running the pipeline by choosing one of the following options from the When errors occur list under the Views tab. The available options are: Stop Pipeline Execution Stops the current pipeline execution when the Snap encounters an error. Discard Error Data and Continue Ignores the error, discards that record, and continues with the remaining records. Route Error Data to Error View Routes the error data to an error view without stopping the Snap execution. Learn more about Error handling in Pipelines.

Snap Settings

Note:

Suggestion icon (): Indicates a list that is dynamically populated based on the configuration.
Expression icon (): Indicates whether the value is an expression (if enabled) or a static value (if disabled). Learn more about Using Expressions in SnapLogic.
Add icon (): Indicates that you can add fields in the field set.
Remove icon (): Indicates that you can remove fields from the field set.


Field / Field Set	Type	Description
Label	String	Required. Specify a unique name for the Snap. Modify this to be more appropriate, especially if there are more than one of the same Snap in the pipeline. Default value: Splunk Search Example: Search employees list
Search query	String/Expression	Required. Specify the search query to submit to Splunk. Default value: N/A Example: "search * \| head 10" Search a default index "main" and get 10 events. "search index=test_index \| head 1000" Search a custom index "test_index" and get 1000 events
Earliest time	String/Expression	Specify the earliest time for searching the data. Default value: N/A Example: 1971-06-19T12:00:00:000-07:00
Latest time	String/Expression	Specify the latest time for search. This property is ignored if the Last property has a valid value. Default value: N/A Example: "2015-02-20T12:00:00.000-07:00"
Last	String/Expression	Specify the date or time interval for search. Leave this property blank if you want to use the Earliest/Latest time properties for the search. Default value: 7 Example: 100
Unit	Dropdown list	Specify the time unit for the Last property. The available options are: seconds minutes hours days weeks months quarters years Default value: days Example: years
Earliest relative	Dropdown list	Returns search results based on the earliest time you choose, relative to the Last and Unit fields. The available options are: No Snap-to: Decrements the start time by the value you specify in Latest Relative and Unit. Beginning of time: Resets the time based on the value you enter in Last and Unit. Default value: No Snap-to Example: Beginning of time
Latest relative	Dropdown list	Returns the search results based on the latest time you choose, relative to the Last and Unit fields. The available options are: Now: Sets the time to the value you enter in Last and Unit. Beginning of time: Resets the time based on the value you enter in Last and Unit. Default value: Now Example: Beginning of time
Preset relative search	Dropdown list	Returns events for the time range selected here. The available options are: None Today Week to date Business week to date Month to date Year to date Yesterday Previous week Previous business week Previous month Previous year Last 30 days Last 7 days Last 24 hours Last 4 hours Last 60 minutes Last 15 minutes Note: If Preset Relative Search is not set to None, the Snap ignores all values entered in the Earliest time, Latest time, Last, Unit, Earliest Relative and Latest Relative fields. Default value: None Example: Today
Response mode	Dropdown list	Select the format of response returned from the Splunk server. The available options are: XML JSON Default value: XML Example: JSON
Snap execution	Dropdown list	Select one of the three modes in which the Snap executes. Available options are: Validate & Execute. Performs limited execution of the Snap and generates a data preview during pipeline validation. Subsequently, performs full execution of the Snap (unlimited records) during pipeline runtime. Execute only. Performs full execution of the Snap during pipeline execution without generating preview data. Disabled. Disables the Snap and all Snaps that are downstream from it.

Splunk Search Output

An example of the output preview on the Search query property value of "search * | head 2" is as follows: The search output includes both, preview data from a search that is still in progress, indicated by "_preview":true, and the actual data after the search completes, indicated by "_preview":false. You must use a Filter Snap downstream to specify which of these data must be fed into downstream Snaps. To do this, in the Filter expression field of the Filter Snap specify the value of the Preview field as:

false, to use the actual results after the search completes.
true, to use a preview or partial result of a search that is still in progress. This is helpful in case of long searches. In addition, you can provide an offset value to indicate the serial number starting from which the records must be selected.

Note: Preview data is cumulative, therefore, it may include duplicate records from previous previews, if any.

 [
  {
    "_preview": false,
    "_offset": 0,
    "_sourcetype": "mailServiceLog",
    "index": "main",
    "host": "dropbox",
    "_cd": "0:49158",
    "_serial": "0",
    "_si": "dropbox,main",
    "splunk_server": "dropbox",
    "linecount": "1",
    "_indextime": "1422929287",
    "_raw": "Thu Jan 25 2015 00:15:06 mailsv1 sshd[5276]: Failed password for invalid user appserver from 194.8.74.23 port 3351 ssh2",
    "source": "secure.log",
    "_bkt": "main~0~85A0230B-D211-4DF5-AB4A-81F2C79F1281",
    "_time": "2015-01-25T00:15:06.000+00:00",
    "sourcetype": "mailServiceLog"
  },
  {
    "_preview": false,
    "_offset": 1,
    "_sourcetype": "mailServiceLog",
    "index": "main",
    "host": "dropbox",
    "_cd": "0:49153",
    "_serial": "1",
    "_si": "dropbox,main",
    "splunk_server": "dropbox",
    "linecount": "1",
    "_indextime": "1422929287",
    "_raw": "Thu Jan 25 2015 00:15:06 mailsv1 sshd[1039]: Failed password for root from 194.8.74.23 port 3768 ssh2",
    "source": "secure.log",
    "_bkt": "main~0~85A0230B-D211-4DF5-AB4A-81F2C79F1281",
    "_time": "2015-01-25T00:15:06.000+00:00",
    "sourcetype": "mailServiceLog"
  }
]

Examples

Write and query data in Splunk repository