Splunk Search

On this Page

Snap type:

Read


Description:

This Snap executes a search query and retrieves data from Splunk using the Splunk REST API.

  • Expected upstream SnapsUpstream Snap is optional. Any Snap with a document output view can be connected upstream.
  • Expected downstream SnapsAny Snap with a document input view can be connected downstream, such as Mapper, CSV Formatter, JSON Formatter, XML Formatter or Structure.
  • Expected inputThe Snap does not require input data. Input documents may be used to evaluate any JavaScript expression in the properties.
  • Expected output: The search result received from Splunk is in XML format. The Snap parses this XML data and produces a stream of documents at the output view. An example of the output preview on the Search query property value of "search * | head 2" is as follows:

The search output includes both, preview data from a search that is still in progress, indicated by “_preview“:true, and the actual data after the search completes, indicated by “_preview“:false. You must use a Filter Snap next, to specify which of these data must be fed into downstream Snaps. To do this, in the Filter expression field of the Filter Snap, specify the value of the preview field as:

  • false, to use the actual results after the search completes. 

  • true, to use a preview or partial result of a search that is still in progress. This is helpful in case of long searches. In addition, you can provide an offset value to indicate the serial number starting from which the records must be selected. For example, if offset is specified as 50, the preview result starting from the 50th record are used. 

Preview data is cumulative, therefore, it may include duplicate records from previous previews, if any.  

Prerequisites:

[None]


Support and limitations:Works in Ultra Task Pipelines.
Account: 

This Snap uses account references created on the Accounts page of SnapLogic Manager to handle access to this endpoint. The Snap requires a Splunk basic auth account.


Views:
InputThis Snap has exactly one document input view. It may contain values to evaluate the JavaScript expression in the File property.
OutputThis Snap has exactly one document output view and provides the document data stream for the search result.
Error

This Snap has at most one document error view and produces zero or more documents in the view. If the Snap fails during the search operation, an error document is sent to the error view containing the fields error, reason, resolution, and stacktrace:

{
        "error": "Failed to get search result",
        "reason": "Invalid search query or  <an error message from Splunk>",
        "resolution": "Please check for valid Snap properties."
        "stacktrace":"com.Snaplogic.Snap.api.SnapDataException:  ... "
}

Settings

Label


Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

Search query



Required. Search query to be submitted to Splunk.

Example "search * | head 10"  Search a default index "main" and get 10 events.
        "search index=test_index | head 1000" Search a custom index "test_index" and get 1000 events.

Default value:  [None]
 

Earliest time


Enables you to execute the Snap during the Save operation so that the output view can produce the preview data.

Default value:  Not selected


Latest time


Latest time for search. This property is ignored if the Last property has a valid value.

Example:  "2015-02-20T12:00:00.000-07:00"

Default value: [None]


Last


Time duration as in "last 7 days". Leave this property blank if you want to use the Earliest/Latest time properties for the search.

Example: 100

Default value: 7


Unit


Time unit for the Last property. The available options are:

  • seconds
  • minutes
  • hours
  • days
  • weeks
  • months
  • quarters
  • years

Example: days

Default value: days

Earliest Relative

Returns search results based on the earliest time you choose, relative to the Last and Unit fields. The available options are:

  • No Snap-to: Decrements the start time by the value you specify in Latest Relative and Unit.
  • Beginning of time: Resets the time based on the value you enter in Last and Unit.  

Default value: No Snap-to

Latest Relative

Returns the search results based on the latest time you choose, relative to the Last and Unit fields. The available options are:

  • Now: Sets the time to the value you enter in Last and Unit.
  • Beginning of time: Resets the time based on the value you enter in Last and Unit.

Default value: Now

Preset Relative Search

Returns events for the time range selected here. The available options are:

  • None
  • Today
  • Week to date
  • Business week to date
  • Month to date
  • Year to date
  • Yesterday
  • Previous week
  • Previous business week
  • Previous month
  • Previous year
  • Last 30 days
  • Last 7 days
  • Last 24 hours
  • Last 4 hours
  • Last 60 minutes
  • Last 15 minutes
If Preset Relative Search is not set to None, the Snap ignores all values entered in the Earliest time, Latest time, Last, Unit, Earliest Relative, and Latest Relative fields.
Response Mode

Select the format of response returned from the Splunk server. The available options are:

  • XML
  • JSON

Default value: XML

Snap Execution

Select one of the three modes in which the Snap executes. Available options are:

  • Validate & Execute: Performs limited execution of the Snap, and generates a data preview during Pipeline validation. Subsequently, performs full execution of the Snap (unlimited records) during Pipeline runtime.
  • Execute only: Performs full execution of the Snap during Pipeline execution without generating preview data.
  • Disabled: Disables the Snap and all Snaps that are downstream from it.

Example


Snap Pack History

 Click to view/expand
ReleaseSnap Pack VersionDateTypeUpdates
4.27 Patch427patches13429 Latest

In the Splunk Basic Auth account:

  • Fixed the connection failure issue when connecting to a cloud-based Splunk instance by not adding the prefix 'input-'to the hostname.
  • Removed the On-premises checkbox from the Snap Account settings.

4.27

main12833

 

Stable

Upgraded with the latest SnapLogic Platform release.
4.26main11181 StableUpgraded with the latest SnapLogic Platform release.
4.25main9554
 
StableUpgraded with the latest SnapLogic Platform release.
4.24main8556
 
StableUpgraded with the latest SnapLogic Platform release.
4.23423patches7504
 
Latest

Enhances the Splunk Search Snap by adding a new field, Response Mode, which allows receiving either JSON or XML response from the Splunk server. The default mode is XML, to enable backward compatibility.

4.23main7430
 
StableUpgraded with the latest SnapLogic Platform release.
4.22422patches7312
 
Latest

Enhances the Splunk Search Snap by adding a new field, Response Mode, which allows receiving either JSON or XML response from the Splunk server. The default mode is XML, to enable backward compatibility.

4.22main6403
 
StableUpgraded with the latest SnapLogic Platform release.
4.21421patches5851
 
Latest

Fixes the Splunk Snaps that fail to route connection errors to error view, thus aborting the Snaps.

4.21snapsmrc542
 
StableUpgraded with the latest SnapLogic Platform release.
4.20snapsmrc535
 
StableUpgraded with the latest SnapLogic Platform release.
4.19splunk8425
 
Latest
  • Fixes the Splunk Search Snap where the output data do not display some of the preview fields.
  • Added the preview field to the Splunk Search Snap output to allow users to select between preview and actual search results to pass on to downstream Snaps.
4.19snaprsmrc528
 
StableUpgraded with the latest SnapLogic Platform release.
4.18splunk7812
 
Latest

Added properties named Earliest RelativeLatest Relative, and Preset Relative Search to the Splunk Search Snap to fix an issue wherein the Snap returns inaccurate and inconsistent results regarding last-30-day and year-to-date searches.

4.18snapsmrc523
 
StableUpgraded with the latest SnapLogic Platform release.
4.17 ALL7402
 
Latest

Pushed automatic rebuild of the latest version of each Snap Pack to SnapLogic UAT and Elastic servers.

4.17snapsmrc515
 
Latest

Added the Snap Execution field to all Standard-mode Snaps. In some Snaps, this field replaces the existing Execute during preview check box.

4.16snapsmrc508
 
StableUpgraded with the latest SnapLogic Platform release.
4.15snapsmrc500
 
StableUpgraded with the latest SnapLogic Platform release.
4.14splunk5963
 
Latest

Updated the Splunk Search Snap to stream results directly to the client without storing them in the server.

4.14snapsmrc490
 
StableUpgraded with the latest SnapLogic Platform release.
4.13

snapsmrc486

 
StableUpgraded with the latest SnapLogic Platform release.
4.12

snapsmrc480

 
StableUpgraded with the latest SnapLogic Platform release.
4.11snapsmrc465
 
StableUpgraded with the latest SnapLogic Platform release.
4.10snapsmrc414
 
StableUpgraded with the latest SnapLogic Platform release.
4.9

snapsmrc405

 
StableUpgraded with the latest SnapLogic Platform release.
4.8

snapsmrc398

 
StableUpgraded with the latest SnapLogic Platform release.
4.7

snapsmrc382

 
StableUpgraded with the latest SnapLogic Platform release.
4.6snapsmrc362
 
StableUpgraded with the latest SnapLogic Platform release.
4.5.1

snapsmrc344

 
StableUpgraded with the latest SnapLogic Platform release.
4.5

snapsmrc344

 
Stable

Resolved an issue in Splunk Search Snap to ensure that the same errors are reported on Java 7 and Java 8 Snaplexes.

4.4.1

NA
 
Stable
  • Splunk Search: Resolved an issue with the message presented when a non-JavaScript expression was used in a Search.
  • Splunk Search: Resolved an issue with the input schema not populating after enabling an expression.
4.3.2NA
 
Stable

Added SSL support to the Splunk Account.

4.3.1

NA

Stable

Feature: Additional configuration parameters for the Splunk Writer Snap.

May 15, 2015

NA
Stable

Addressed the following issue: Splunk Write: Writer does not throw error if Index is disabled. Instead pipelines successfully runs, but no data inserted.

May 2, 2015

NA
Latest

Introduced Splunk Saved Search and Splunk Writer

March 2015

NA
Stable

Introduced Splunk Search Snap