Documentation > Splunk > Developing Dashboards, Views, and Apps for Splunk Web > Additional PCL Search Examples

Developing Dashboards, Views, and Apps for Splunk Web

 


Start Here
Command Line Interface
SOAP API
Bundles
Modules
Skins
Workflow Integration
Search Language
Built-In Processors

Additional PCL Search Examples

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Additional PCL Search Examples

The search function has a number of optional parameters for determining what results are returned. In addition to the standard event results discussed in the previous example, here are some other ways you can use the PCL search function.


output

For a short report of selected matching event statistics, use "output": 


argsDict = {
  "authstr" : authString,
  "terms"   : "404",
  "output"  : "scheduler"
}

If a regular search returns these events: 


127.0.0.1 - - [27/Feb/2007:16:02:31 -0800] "GET /test.html HTTP/1.1" 404 305
127.0.0.1 - - [27/Feb/2007:14:00:50 -0800] "GET /favicon.ico HTTP/1.1" 404 307
127.0.0.1 - - [26/Feb/2007:16:16:35 -0800] "GET /test.html HTTP/1.1" 404 300
127.0.0.1 - - [26/Feb/2007:15:40:27 -0800] "GET /test.html HTTP/1.1" 404 300
127.0.0.1 - - [26/Feb/2007:15:37:04 -0800] "GET /test.html HTTP/1.1" 404 300
127.0.0.1 - - [26/Feb/2007:15:29:29 -0800] "GET /test.html HTTP/1.1" 404 300
127.0.0.1 - - [26/Feb/2007:15:27:07 -0800] "GET /favicon.ico HTTP/1.1" 404 302

Then specifying an output type of "scheduler" returns this: 


eventCount:          7
hostCount:           1
sourceCount:         1
typeCount:           2
sourceTypeCount:     1
eventTagCount:       0
hostTagCount:        0
starttime:           12/31/1969:16:00:00
endtime:             03/06/2009:12:46:17

get

Use "get" to return a list of hosts, sources, sourcetypes or types that contain matching events. The dictionary shown below returns a list of the event types of the matching events. 


argsDict = {
  "authstr" : authString,
  "terms"   : "404",
  "get"     : "types"
}

returns 


eventtype::?9
eventtype::?11

With any of these, you can also specify a format of "xml" to get the output in XML with additional information: 


<queryResult><ids>
</ids>
<results type="types">  <result c="5" cd="9"><segtext xml:space="preserve">5 results from eventtype::?9<meta></meta></segtext>          <type cd="9" wob=" v:cc9b b1:110 a1:49 j1:4111519 k2:529728502 h2:2550214376 g1:0  ">
                        <tags></tags>
</type>
</result>       <result c="2" cd="11"><segtext xml:space="preserve">2 results from eventtype::?11<meta></meta></segtext>                <type cd="11" wob=" v:cc9b b1:110 a1:49 j1:4111519 k2:529728502 h2:2550214376 g1:2550123436  ">
                        <tags></tags>
</type>
</result></results></queryResult>
Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.6/Developer/AdditionalPCLSearchExamples"

This documentation applies to the following versions of Splunk: 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!