Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
/**
* Submit a search job and page through results exec_mode = normal ,
* asynchronous
*
* The maximum number of events you can retrieve at a time is determined by
* the maxresultrows field, which is specified in a Splunk configuration
* file. The default value is 50000, but we don't recommend you change this.
* So, what if your job has more events than this limit? No problem--just
* retrieve your events in sets, using the count and offset attributes. Set
* the count (the number of events in a set) to maxresultrows, and increment
* the offset by maxresultrows to page through each set (0-49999,
* 50000-99999, and so on)
*/
public static void searchJobWithPagingExample() {
Service splunkService = connectAndLoginToSplunkExample();
// get the max results from the Splunk server configuration
Entity restApi = splunkService.getConfs().get("limits").get("restapi");
int maxresults = Integer.parseInt((String) restApi.get("maxresultrows"));
OutputMode outputMode = OutputMode.XML;// xml,json,csv
JobArgs queryArgs = new JobArgs();
queryArgs.setEarliestTime("-2d@d");
queryArgs.setLatestTime("now");
// submit the job
Job job = splunkService.getJobs().create("search index=_internal | head 5", queryArgs);
while (!job.isDone()) {
try {
Thread.sleep(500);
} catch (Exception e) {
}
}
// After the search job is complete, get the number of events
int eventCount = job.getEventCount();
// Page through results with a simple loop
int getOffset = 0;
while (getOffset < eventCount) {
JobResultsArgs outputArgs = new JobResultsArgs();
outputArgs.setCount(maxresults);
outputArgs.setOffset(getOffset);
outputArgs.setOutputMode(outputMode);
InputStream stream = job.getResults(outputArgs);
processInputStream(stream, outputMode);
// Increase the offset to get the next set of events
getOffset = getOffset + maxresults;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.