I am trying to access Splunk results using java. I have followed the below link to achieve the same https://dev.splunk.com/enterprise/docs/devtools/java/sdk-java/howtousesdkjava/howtodisplaysearchsdkjava/
I am trying to give the below search String but getting the below exception
source="/u/application/xxxx/yyy/zzzz/logs/access_log"
| eval server_type=mvindex(split('host', "."),0), site=mvindex(split('host', "."),1), country=mvindex(split('host', "."),2), domain=mvindex(split('host', "."),3), org=mvindex(split('host', "."),4)
| search country="XX" serviceName="/services/*"
| chart count by serviceName
Setting the Search String in job
String mySearch = "source=\"/u/applic/wsadmin/WMSE/apache/logs/httpd_60402/access_log\" | eval server_type=mvindex(split('host', \".\"),0), site=mvindex(split('host', \".\"),1), country=mvindex(split('host', \".\"),2), domain=mvindex(split('host', \".\"),3), org=mvindex(split('host', \".\"),4) |search country=\"us\" serviceName=\"/services/*\" | chart count by serviceName";
Job job = service.getJobs().create(mySearch);
Exception in thread "main" com.splunk.HttpException: HTTP 400 -- Unknown search command 'source'
But the same code works with the below simple search command
String mySearch = "search * | head 5";
Job job = service.getJobs().create(mySearch);
Can someone help to understand the issue
Adding 'search' before the source should resolve it. either 'search' or '|' should be the first command while creating search query via rest api.