On this Page

Snap type:

Read


Description:

This Snap executes a search query and retrieves data from Splunk using the Splunk REST API.

  • Expected upstream SnapsUpstream Snap is optional. Any Snap with a document output view can be connected upstream.
  • Expected downstream SnapsAny Snap with a document input view can be connected downstream, such as Mapper, CSV Formatter, JSON Formatter, XML Formatter or Structure.
  • Expected inputThe Snap does not require input data. Input documents may be used to evaluate any JavaScript expression in the properties.
  • Expected output: The search result received from Splunk is in XML format. The Snap parses this XML data and produces a stream of documents at the output view. An example of the output preview on the Search query property value of "search * | head 2" is as follows:
[
{
“_preview“:false,
“_offset“:0,
"_sourcetype": "mailServiceLog",
"index": "main",
"host": "dropbox",
"_cd": "0:49158",
"_serial": "0",
"_si": "dropbox,main",
"splunk_server": "dropbox",
"linecount": "1",
"_indextime": "1422929287",
"_raw": "Thu Jan 25 2015 00:15:06 mailsv1 sshd[5276]: Failed password for invalid user appserver from 194.8.74.23 port 3351 ssh2",
"source": "secure.log",
"_bkt": "main~0~85A0230B-D211-4DF5-AB4A-81F2C79F1281",
"_time": "2015-01-25T00:15:06.000+00:00",
"sourcetype": "mailServiceLog"
},

{
“_preview“:false,
“_offset“:1,
"_sourcetype": "mailServiceLog",
"index": "main",
"host": "dropbox",
"_cd": "0:49153",
"_serial": "1",
"_si": "dropbox,main",
"splunk_server": "dropbox",
"linecount": "1",
"_indextime": "1422929287",
"_raw": "Thu Jan 25 2015 00:15:06 mailsv1 sshd[1039]: Failed password for root from 194.8.74.23 port 3768 ssh2",
"source": "secure.log",
"_bkt": "main~0~85A0230B-D211-4DF5-AB4A-81F2C79F1281",
"_time": "2015-01-25T00:15:06.000+00:00",
"sourcetype": "mailServiceLog"
}
]

The search output includes both, preview data from a search that is still in progress, indicated by “_preview“:true, and the actual data after the search completes, indicated by “_preview“:false. You must use a Filter Snap next, to specify which of these data must be fed into downstream Snaps. To do this, in the Filter expression field of the Filter Snap, specify the value of the preview field as:

  • false, to use the actual results after the search completes. 

  • true, to use a preview or partial result of a search that is still in progress. This is helpful in case of long searches. In addition, you can provide an offset value to indicate the serial number starting from which the records must be selected. For example, if offset is specified as 50, the preview result starting from the 50th record are used. 

Preview data is cumulative, therefore, it may include duplicate records from previous previews, if any.  


Prerequisites:

[None]


Support and limitations:Works in Ultra Task Pipelines.
Account: 

This Snap uses account references created on the Accounts page of SnapLogic Manager to handle access to this endpoint. The Snap requires a Splunk basic auth account.


Views:


InputThis Snap has exactly one document input view. It may contain values to evaluate the JavaScript expression in the File property.
OutputThis Snap has exactly one document output view and provides the document data stream for the search result.
Error

This Snap has at most one document error view and produces zero or more documents in the view. If the Snap fails during the search operation, an error document is sent to the error view containing the fields error, reason, resolution, and stacktrace:

{
        "error": "Failed to get search result",
        "reason": "Invalid search query or  <an error message from Splunk>",
        "resolution": "Please check for valid Snap properties."
        "stacktrace":"com.Snaplogic.Snap.api.SnapDataException:  ... "
}


Settings

Label


Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

Search query



Required. Search query to be submitted to Splunk.

Example "search * | head 10"  Search a default index "main" and get 10 events.
        "search index=test_index | head 1000" Search a custom index "test_index" and get 1000 events.

Default value:  [None]
 

Earliest time


Enables you to execute the Snap during the Save operation so that the output view can produce the preview data.

Default value:  Not selected


Latest time


Latest time for search. This property is ignored if the Last property has a valid value.

Example:  "2015-02-20T12:00:00.000-07:00"

Default value: [None]


Last


Time duration as in "last 7 days". Leave this property blank if you want to use the Earliest/Latest time properties for the search.

Example: 100

Default value: 7


Unit


Time unit for the Last property. The available options are:

  • seconds
  • minutes
  • hours
  • days
  • weeks
  • months
  • quarters
  • years

Example: days

Default value: days

Earliest Relative

Returns search results based on the earliest time you choose, relative to the Last and Unit fields. The available options are:

  • No Snap-to: Decrements the start time by the value you specify in Latest Relative and Unit.
  • Beginning of time: Resets the time based on the value you enter in Last and Unit.  

Default value: No Snap-to

Latest Relative

Returns the search results based on the latest time you choose, relative to the Last and Unit fields. The available options are:

  • Now: Sets the time to the value you enter in Last and Unit.
  • Beginning of time: Resets the time based on the value you enter in Last and Unit.

Default value: Now

Preset Relative Search

Returns events for the time range selected here. The available options are:

  • None
  • Today
  • Week to date
  • Business week to date
  • Month to date
  • Year to date
  • Yesterday
  • Previous week
  • Previous business week
  • Previous month
  • Previous year
  • Last 30 days
  • Last 7 days
  • Last 24 hours
  • Last 4 hours
  • Last 60 minutes
  • Last 15 minutes
If Preset Relative Search is not set to None, the Snap ignores all values entered in the Earliest time, Latest time, Last, Unit, Earliest Relative, and Latest Relative fields.


Response Mode

Select the format of response returned from the Splunk server. The available options are:

  • XML
  • JSON

Default value: XML

Example