Splunk Search
Overview
You can use this Snap to execute a search query and retrieve data from Splunk using the Splunk REST API.
Read-type Snap
Works in Ultra Tasks
Prerequisites
None.
Limitations and known issues
None.
Snap views
| View | Description | Examples of upstream and downstream Snaps |
|---|---|---|
| Input | Any Snap with a document output view can be connected upstream.The Snap does not require input data. Input documents may be used to evaluate any JavaScript expression in the properties. Upstream Snap is optional. |
|
| Output | The Snap provides the document data stream for the search result.The search result received from Splunk is in XML format. The Snap parses this XML data and produces a stream of documents at the output view. Learn more about Splunk Search Output. |
|
| Error |
Error handling is a generic way to handle errors without losing data or failing the Snap execution. You can handle the errors that the Snap might encounter when running the pipeline by choosing one of the following options from the When errors occur list under the Views tab. The available options are:
Learn more about Error handling in Pipelines. |
|
Snap settings
- Suggestion icon (
): Indicates a
list that is dynamically populated based on the configuration. - Expression icon (
): Indicates
whether the value is an expression (if enabled) or a static value (if disabled). Learn
more about Using Expressions in SnapLogic. - Add icon (
): Indicates that you can add fields in
the field set. - Remove icon (
): Indicates that you can remove
fields from the field set.
| Field / Field set | Type | Description |
|---|---|---|
| Label | String |
Required. Specify a unique name for the Snap. Modify this to be more appropriate, especially if more than one of the same Snaps is in the pipeline. Default value: Splunk Search Example: Search employees list |
| Search query | String/Expression |
Required. Specify the search query to submit to Splunk. Default value: N/A Example: "search * | head 10" Search a default index "main" and get 10 events. "search index=test_index | head 1000" Search a custom index "test_index" and get 1000 events |
| Earliest time | String/Expression |
Specify the earliest time for searching the data. Default value: N/A Example: 1971-06-19T12:00:00:000-07:00 |
| Latest time | String/Expression |
Specify the latest time for search. This property is ignored if the Last property has a valid value. Default value: N/A Example: "2015-02-20T12:00:00.000-07:00" |
| Last | String/Expression |
Specify the date or time interval for search. Leave this property blank if you want to use the Earliest/Latest time properties for the search. Default value: 7 Example: 100 |
| Unit | Dropdown list |
Specify the time unit for the Last property.
The available options are:
Default value: days Example: years |
| Earliest relative | Dropdown list |
Returns search results based on the earliest time you choose, relative to the Last and Unit fields.
The available options are:
Default value: No Snap-to Example: Beginning of time |
| Latest relative | Dropdown list |
Returns the search results based on the latest time you choose, relative to the Last and Unit fields.
The available options are:
Default value: Now Example: Beginning of time |
| Preset relative search | Dropdown list |
Returns events for the time range selected here.
The available options are:
Note:
If Preset Relative Search is not set to None, the Snap ignores all values entered in the
Earliest time, Latest time, Last, Unit,
Earliest Relative and Latest Relative fields.
Default value: None Example: Today |
| Response mode | Dropdown list |
Select the format of response returned from the Splunk server.
The available options are:
Default value: XML Example: JSON |
| Snap execution | Dropdown list | Select one of the three modes in which the Snap executes.
Available options are:
|
Splunk Search output
"search * | head 2" is as follows:
The search output includes both, preview data from a search that is still in progress, indicated by "_preview":true, and the actual data after the search completes, indicated by "_preview":false.
You must use a Filter Snap downstream to specify which of these data must be fed into downstream Snaps.
To do this, in the Filter expression field of the Filter Snap specify the value of the Preview field as:
false, to use the actual results after the search completes.-
true, to use a preview or partial result of a search that is still in progress. This is helpful in case of long searches. In addition, you can provide anoffsetvalue to indicate the serial number starting from which the records must be selected.
[
{
"_preview": false,
"_offset": 0,
"_sourcetype": "mailServiceLog",
"index": "main",
"host": "dropbox",
"_cd": "0:49158",
"_serial": "0",
"_si": "dropbox,main",
"splunk_server": "dropbox",
"linecount": "1",
"_indextime": "1422929287",
"_raw": "Thu Jan 25 2015 00:15:06 mailsv1 sshd[5276]: Failed password for invalid user appserver from 194.8.74.23 port 3351 ssh2",
"source": "secure.log",
"_bkt": "main~0~85A0230B-D211-4DF5-AB4A-81F2C79F1281",
"_time": "2015-01-25T00:15:06.000+00:00",
"sourcetype": "mailServiceLog"
},
{
"_preview": false,
"_offset": 1,
"_sourcetype": "mailServiceLog",
"index": "main",
"host": "dropbox",
"_cd": "0:49153",
"_serial": "1",
"_si": "dropbox,main",
"splunk_server": "dropbox",
"linecount": "1",
"_indextime": "1422929287",
"_raw": "Thu Jan 25 2015 00:15:06 mailsv1 sshd[1039]: Failed password for root from 194.8.74.23 port 3768 ssh2",
"source": "secure.log",
"_bkt": "main~0~85A0230B-D211-4DF5-AB4A-81F2C79F1281",
"_time": "2015-01-25T00:15:06.000+00:00",
"sourcetype": "mailServiceLog"
}
]