Splunk Search
This page is no longer maintained (Jul 12, 2023). For the most current information, go to Splunk Search.
On this Page
Overview
This Snap executes a search query and retrieves data from Splunk using the Splunk REST API.
Snap Type
The Splunk Search Snap is a Read type Snap.
Support for Ultra Pipelines
Works in Ultra Task Pipelines.
Snap Views
Type | Format | Views | Examples of Upstream and Downstream Snaps | Description |
---|---|---|---|---|
Input | Document | Min: 0 Max: 1 | Upstream Snap is optional. | Any Snap with a document output view can be connected upstream.The Snap does not require input data. Input documents may be used to evaluate any JavaScript expression in the properties. |
Output | Document | Min: 1 Max: 1 |
| The Snap provides the document data stream for the search result.The search result received from Splunk is in XML format. The Snap parses this XML data and produces a stream of documents at the output view. Learn more about Splunk Search Output. |
Error | This Snap has at most one document error view and produces zero or more documents in the view. If the Snap fails during the search operation, an error document is sent to the error view containing the fields error, reason, resolution, and stacktrace: { "error": "Failed to get search result", "reason": "Invalid search query or <an error message from Splunk>", "resolution": "Please check for valid Snap properties." "stacktrace":"com.Snaplogic.Snap.api.SnapDataException: ... " } |
Snap Settings
Label | Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline. | |
---|---|---|
Search query | Required. Search query to be submitted to Splunk. Default value: [None] | |
Earliest time | Specify the earliest time for searching the data. Default value: None Example:1971-06-19T12:00:00:000-07:00 | |
Latest time | Specify the latest time for search. This property is ignored if the Last property has a valid value. Default value: [None] Example: "2015-02-20T12:00:00.000-07:00" | |
Last | Specify the date or time interval for search. Leave this property blank if you want to use the Earliest/Latest time properties for the search. Default value: 7 | |
Unit | Specify the time unit for the Last property. The available options are:
Default value: days | |
Earliest Relative | Returns search results based on the earliest time you choose, relative to the Last and Unit fields. The available options are:
Default value: No Snap-to | |
Latest Relative | Returns the search results based on the latest time you choose, relative to the Last and Unit fields. The available options are:
Default value: Now | |
Preset Relative Search | Returns events for the time range selected here. The available options are:
If Preset Relative Search is not set to None, the Snap ignores all values entered in the Earliest time, Latest time, Last, Unit, Earliest Relative, and Latest Relative fields. | |
Response Mode | Select the format of response returned from the Splunk server. The available options are:
Default value: XML | |
Snap Execution | Select one of the three modes in which the Snap executes. Available options are:
|
Splunk Search Output
An example of the output preview on the Search query property value of "search * | head 2"
is as follows:
The search output includes both, preview data from a search that is still in progress, indicated by “_preview“:true
, and the actual data after the search completes, indicated by “_preview“:false
. You must use a Filter Snap next, to specify which of these data must be fed into downstream Snaps. To do this, in the Filter expression field of the Filter Snap, specify the value of the preview field as:
false, to use the actual results after the search completes.
true, to use a preview or partial result of a search that is still in progress. This is helpful in case of long searches. In addition, you can provide an offset value to indicate the serial number starting from which the records must be selected. For example, if offset is specified as 50, the preview result starting from the 50th record are used.
Preview data is cumulative, therefore, it may include duplicate records from previous previews, if any.
Snap Pack History
Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2024 SnapLogic, Inc.