This page is no longer maintained (Jul 12, 2023). For the most current information, go to Splunk Search.

On this Page

Overview

This Snap executes a search query and retrieves data from Splunk using the Splunk REST API.

SnapLogic Documentation > Splunk Search > Splunk Search.png

Snap Type

The Splunk Search Snap is a Read type Snap.

Support for Ultra Pipelines

Works in Ultra Task Pipelines.

Snap Views

Type

Format

Views

Examples of Upstream and Downstream Snaps

Description

Input

Document

Min: 0

Max: 1

Upstream Snap is optional.

Any Snap with a document output view can be connected upstream.The Snap does not require input data. Input documents may be used to evaluate any JavaScript expression in the properties.

Output

Document

Min: 1

Max: 1

Mapper
CSV Formatter
JSON Formatter
XML Formatter
Structure

The Snap provides the document data stream for the search result.The search result received from Splunk is in XML format. The Snap parses this XML data and produces a stream of documents at the output view. Learn more about Splunk Search Output.

Error

This Snap has at most one document error view and produces zero or more documents in the view. If the Snap fails during the search operation, an error document is sent to the error view containing the fields error, reason, resolution, and stacktrace:

{
        "error": "Failed to get search result",
        "reason": "Invalid search query or  <an error message from Splunk>",
        "resolution": "Please check for valid Snap properties."
        "stacktrace":"com.Snaplogic.Snap.api.SnapDataException:  ... "
}

Snap Settings

Label

Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

Search query

Required. Search query to be submitted to Splunk.

Default value: [None]
Example: "search * | head 10" Search a default index "main" and get 10 events.
"search index=test_index | head 1000" Search a custom index "test_index" and get 1000 events.

Earliest time

Specify the earliest time for searching the data.

Default value: None

Example:1971-06-19T12:00:00:000-07:00

Latest time

Specify the latest time for search. This property is ignored if the Last property has a valid value.

Default value: [None]

Example: "2015-02-20T12:00:00.000-07:00"

Last

Specify the date or time interval for search. Leave this property blank if you want to use the Earliest/Latest time properties for the search.

Default value: 7
Example: 100

Unit

Specify the time unit for the Last property. The available options are:

seconds
minutes
hours
days
weeks
months
quarters
years

Default value: days
Example: days

Earliest Relative

Returns search results based on the earliest time you choose, relative to the Last and Unit fields. The available options are:

No Snap-to: Decrements the start time by the value you specify in Latest Relative and Unit.
Beginning of time: Resets the time based on the value you enter in Last and Unit.

Default value: No Snap-to

Latest Relative

Returns the search results based on the latest time you choose, relative to the Last and Unit fields. The available options are:

Now: Sets the time to the value you enter in Last and Unit.
Beginning of time: Resets the time based on the value you enter in Last and Unit.

Default value: Now

Preset Relative Search

Returns events for the time range selected here. The available options are:

None
Today
Week to date
Business week to date
Month to date
Year to date
Yesterday
Previous week
Previous business week
Previous month
Previous year
Last 30 days
Last 7 days
Last 24 hours
Last 4 hours
Last 60 minutes
Last 15 minutes

If Preset Relative Search is not set to None, the Snap ignores all values entered in the Earliest time, Latest time, Last, Unit, Earliest Relative, and Latest Relative fields.

Response Mode

Select the format of response returned from the Splunk server. The available options are:

XML
JSON

Default value: XML

Splunk Search Output

An example of the output preview on the Search query property value of "search * | head 2" is as follows:

The search output includes both, preview data from a search that is still in progress, indicated by “_preview“:true, and the actual data after the search completes, indicated by “_preview“:false. You must use a Filter Snap next, to specify which of these data must be fed into downstream Snaps. To do this, in the Filter expression field of the Filter Snap, specify the value of the preview field as:

false, to use the actual results after the search completes.
true, to use a preview or partial result of a search that is still in progress. This is helpful in case of long searches. In addition, you can provide an offset value to indicate the serial number starting from which the records must be selected. For example, if offset is specified as 50, the preview result starting from the 50th record are used.

Preview data is cumulative, therefore, it may include duplicate records from previous previews, if any.

[
{
“_preview“:false,
“_offset“:0,
"_sourcetype": "mailServiceLog",
"index": "main",
"host": "dropbox",
"_cd": "0:49158",
"_serial": "0",
"_si": "dropbox,main",
"splunk_server": "dropbox",
"linecount": "1",
"_indextime": "1422929287",
"_raw": "Thu Jan 25 2015 00:15:06 mailsv1 sshd[5276]: Failed password for invalid user appserver from 194.8.74.23 port 3351 ssh2",
"source": "secure.log",
"_bkt": "main~0~85A0230B-D211-4DF5-AB4A-81F2C79F1281",
"_time": "2015-01-25T00:15:06.000+00:00",
"sourcetype": "mailServiceLog"
},

{
“_preview“:false,
“_offset“:1,
"_sourcetype": "mailServiceLog",
"index": "main",
"host": "dropbox",
"_cd": "0:49153",
"_serial": "1",
"_si": "dropbox,main",
"splunk_server": "dropbox",
"linecount": "1",
"_indextime": "1422929287",
"_raw": "Thu Jan 25 2015 00:15:06 mailsv1 sshd[1039]: Failed password for root from 194.8.74.23 port 3768 ssh2",
"source": "secure.log",
"_bkt": "main~0~85A0230B-D211-4DF5-AB4A-81F2C79F1281",
"_time": "2015-01-25T00:15:06.000+00:00",
"sourcetype": "mailServiceLog"
}
]