Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

On this Page

Table of Contents
maxLevel2
excludeOlder Versions|Additional Resources|Related Links|Related Information

Snap Type:

Read

Description:

This Snap executes a saved search query and retrieves data from Splunk using the Splunk REST API. The Snap can be configured to define polling intervals in which the Snap looks for the status of the search and if the time taken to retrieve the search exceeds a configurable timeout limit, an exception will be thrown.

  • Expected upstream Snaps: Upstream Snap is optional. Any Snap with a document output view can be connected upstream.
  • Expected downstream Snaps: Any Snap with a document input view can be connected downstream, such as Mapper, CSV Formatter, JSON Formatter, XML Formatter or Structure.
  • Expected input: The Snap does not require input data. Input documents may be used to evaluate any JavaScript expression in the properties.
  • Expected output: The search result received from Splunk is in XML format. The Snap parses this XML data and produces a stream of documents at the output view.
Prerequisites:

[None]

Support and limitations:Ultra pipelines: Works in Ultra Pipelines.Spark mode: Not supported in Spark modeTask Pipelines.
Account: 

This Snap uses account references created on the Accounts page of SnapLogic Manager to handle access to this endpoint. The Snap requires a Splunk Basic Auth Account.

Views:


InputThis Snap has exactly one document input view. It may contain values to evaluate the JavaScript expression in the Saved search name property.
OutputThis Snap has exactly one document output view and provides the document data stream for the search result.
Error

This Snap has at most one document error view and produces zero or more documents in the view. If the Snap fails during the search operation, an error document is sent to the error view containing the fields error, reason, resolution, and stacktrace. 


Expand
titleSample error output preview


Paste code macro
languagejson
An example of the output preview on the Search query property value of "search * | head 2" is as follows:



{
        "error": "Failed to get search result",
        "reason": "Invalid search query or  <an error message from Splunk>",
        "resolution": "Please address the reported issue."
        "stacktrace":"com.Snaplogic.Snap.api.SnapDataException:  ... "
}



[
    {
        "_sourcetype": "mailServiceLog",
        "index": "main",
        "host": "dropbox",
        "_cd": "0:49158",
        "_serial": "0",
        "_si": "dropbox,main",
        "splunk_server": "dropbox",
        "linecount": "1",
        "_indextime": "1422929287",
        "_raw": "Thu Jan 25 2015 00:15:06 mailsv1 sshd[5276]: Failed password for invalid user appserver from 194.8.74.23 port 3351 ssh2",
        "source": "secure.log",
        "_bkt": "main~0~85A0230B-D211-4DF5-AB4A-81F2C79F1281",
        "_time": "2015-01-25T00:15:06.000+00:00",
        "sourcetype": "mailServiceLog"
    },
    {
        "_sourcetype": "mailServiceLog",
        "index": "main",
        "host": "dropbox",
        "_cd": "0:49153",
        "_serial": "1",
        "_si": "dropbox,main",
        "splunk_server": "dropbox",
        "linecount": "1",
        "_indextime": "1422929287",
        "_raw": "Thu Jan 25 2015 00:15:06 mailsv1 sshd[1039]: Failed password for root from 194.8.74.23 port 3768 ssh2",
        "source": "secure.log",
        "_bkt": "main~0~85A0230B-D211-4DF5-AB4A-81F2C79F1281",
        "_time": "2015-01-25T00:15:06.000+00:00",
        "sourcetype": "mailServiceLog"
    }
]






Settings

Label

Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

Saved search name

Required. A saved search is a search query that has been saved in Splunk.  All saved searches will be listed if you click on the Suggest button in the property.

Example License Usage Data Cube
                  Errors in the last 24 hours

Default value:  [None]

Polling interval


Required. This property lets you define the polling interval in seconds while waiting for the completion of the search execution. At each polling interval, the Snap checks the status of the search execution.

Example: 5

Default value:  5

Maximum value: 60

Polling timeout


Required. This property lets you define the polling timeout in seconds while waiting for the completion of the search execution. If the timeout occurs while waiting for the completion of the search execution, the Snap throws an exception.

Example: 300

Default value:  300

Minimum value: 10

Multiexcerpt include macro
nameSnap Execution
pageAnaplan Read


Multiexcerpt include macro
nameSnap_Execution_Introduced
pageAnaplan Read

Examples


Excerpt Include
Splunk Snap Pack
Splunk Snap Pack
nopaneltrue