create search job returns HTTP 400 response with message: "Please specify timerange to search data" #223

yweizer · 2024-03-18T10:58:00Z

Hello,

I'm experiencing the following error when attempting to create a search job via the Java client:

com.splunk.HttpException: HTTP 400 -- <?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="FATAL">Please specify timerange to search data</msg>
  </messages>
</response>
at com.splunk.HttpException.create(HttpException.java:84) ~[splunk-sdk-java-1.4.0.jar:1.4.0]
at com.splunk.HttpService.send(HttpService.java:411) ~[splunk-sdk-java-1.4.0.jar:1.4.0]
at com.splunk.Service.send(Service.java:1280) ~[splunk-sdk-java-1.4.0.jar:1.4.0]
at com.splunk.HttpService.post(HttpService.java:272) ~[splunk-sdk-java-1.4.0.jar:1.4.0]
at com.splunk.JobCollection.create(JobCollection.java:81) ~[splunk-sdk-java-1.4.0.jar:1.4.0]

###################################################################################
Code Snippet:

ServiceArgs loginArgs = new ServiceArgs();
loginArgs.setUsername(server.getUsername());
loginArgs.setPassword(server.getPassword().getDecrypted());
loginArgs.setHost(server.getHostName());
loginArgs.setPort(server.getPort());

Service service =Service.connect(loginArgs);

//example for a query search for this customer
String query = "search (index=corp_wineventlog) ((EventCode=4768) (action="failure") ((user="****") OR (user="*****"))) OR ((EventCode=4625) (action="failure") ((user="****") OR (user="*****"))) OR ((EventCode=4771) (action="failure") ((user="******") OR (user="******"))) OR ((EventCode=4776) (action="failure") ((user="******") OR (user="*******")))";

JobExportArgs jobExportArgs = new JobExportArgs();
jobExportArgs.setIndexEarliest("2024-02-06T09:55:18.991-06:00");
jobExportArgs.setIndexLatest("2024-02-13T09:54:18.974-06:00");
jobExportArgs.setSearchMode(JobExportArgs.SearchMode.NORMAL);
jobExportArgs.setRequiredFieldList(requiredFields.toArray(new String[0]));

Job job = service.getJobs().create(query, jobExportArgs);

###################################################################################
More details:

As you can see, we get the 'missing timerange' error although the indexEarliest and indexLatest are set as expected.
Also please note, the code above works as expected for most of our costumers and also in our envs but for some reason one of our clients gets this error from the API all the time, so maybe it depends on some costume configuration they're using.

Used versions:
Splunk-sdk-java 1.4.0
Splunk enterprise instance 9.2.0.1

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

create search job returns HTTP 400 response with message: "Please specify timerange to search data" #223

create search job returns HTTP 400 response with message: "Please specify timerange to search data" #223

yweizer commented Mar 18, 2024 •

edited

Loading

create search job returns HTTP 400 response with message: "Please specify timerange to search data" #223

create search job returns HTTP 400 response with message: "Please specify timerange to search data" #223

Comments

yweizer commented Mar 18, 2024 • edited Loading

yweizer commented Mar 18, 2024 •

edited

Loading