Splunk SDK for Java command line examples

You can start getting familiar with the Splunk SDK for Java by running the command-line examples that came with the SDK.

After you build the SDK, examples are placed in the /splunk-sdk-java/dist/examples directory. To run the examples, run the Java interpreter at the command line using the -jar flag to specify the target example jar file, and include any arguments that are required by the example:

java -jar <examplename>.jar --username="admin" --password="changeme"

If you saved your login credentials in the .splunkrc file, you can omit those arguments:

java -jar <examplename>.jar 

To get help for an example, use the --help argument with an example:

java -jar examplename.jar --help

A helper script called run in the /splunk-sdk-java directory simplifies running the SDK examples. For example, on *nix you can simply enter:

./run <examplename>

Run examples

Here are some different command-line examples to show how to use the SDK examples using the run helper script. Make sure Splunk is running, and then open a command prompt in the /splunk-sdk-java directory.

Run oneshot, blocking, and real-time searches

The search*.jar examples demonstrate how to run different types of searches, including oneshot, blocking, and real-time searches.

This runs a simple search with output in CSV format:

./run search "search * | head 10" --output_mode=csv

If you aren't using the .splunkrc file, you'll need to include your login credentials:

./run search --username="admin" --password="changeme" "search * | head 10" --output_mode=csv

This runs a search of everything, returns one event in JSON format, and displays progress:

./run search "search *" --output_mode=json --count=1 --verbose

This runs a oneshot search within a time range (earliest and latest times):

./run search_oneshot "search *" --earliest_time="2012-03-02T15:13:40.000-08:00" --latest_time="2017-03-05T15:13:50.000-08:00" 

Work with data indexes

The index.jar example lets you work with the indexes that store your Splunk Enterprise data. When you run the index.jar example with no arguments, it lists all indexes along with the number of events in each:

./run index

You can also specify an action (clean, enable, disable) to perform on a specific index. This shows how to clean the "summary" index:

./run index clean summary

Display Splunk system info

The info.jar example takes no arguments and simply prints system information about your Splunk Enterprise instance to the console:

./run info

Export indexed events to a file

The export.jar example takes events from an index and saves them to a hard-coded file, export.out, in the current working directory. The default format is CSV, but you can also specify XML or JSON. If an export.out file already exists, an exception is thrown unless you use the recover argument (more on that below).

This exports the "main" index:

./run export main

You can use a search string to filter the events that are exported:

./run export main --search="search sourcetype=access_*"

To change the output format, you can specify XML, JSON, or CSV:

./run export main --search="search sourcetype=access_*" json

The recover argument is used to continue exporting the index where you left off, if for some reason the process was interrupted. Using recover restarts the export process and only new events are added at the top of the file:

./run export main recover

Run GET commands for Splunk Enterprise REST API endpoints

The spurl.jar example runs a GET command for any endpoint in the Splunk REST API, and returns the Atom Feed response. These examples use two different endpoints:

./run spurl /services/data/indexes
./run spurl /services/saved/searches

Display events as they are indexed

The tail.jar example prints events to the console as they are indexed (the "tail" of a real-time search), and you can specify an output format. For example, this command prints incoming events to the "twitter" index in XML format:

./run tail "search index=twitter" --format=xml

Generate sample events for testing

The genevents.jar example is a simple event generator that writes 50,000 short time-stamped events to a specified index. For example, this adds events to the "main" index:

./run genevents main

Use genevents.jar for testing when you need a bunch of events. For example, you can use genevents.jar with the tail.jar example to display events as they are received in a "test" index. Open two command prompt windows. In one, enter:

./run tail "search index=test"

Then, in the other window, enter:

./run genevents test