How to use @myFile.spl to query Splunk API?

victorsalazar — Wed, 20 Sep 2023 19:46:56 GMT

Hello All

I need to send a request to Splunk API from a Linux server but the Curl is complaining because the search argument is too long (could be up to 500000 chars). my question is: how we can use @myFile.spl to query splunk api?

This is what I have done so far but no luck yet

curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d search=`echo $myVar`
error Argument list too long
curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d @query2.spl (Format1 in query2.spl file--> "search= | search index=myIndex ...." up to 500000 char)
error {"messages":[{"type":"FATAL","text":"Empty search."}]}
curl --noproxy '*' -k -H "Authorization: Splunk myToken"
https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d @query2.spl (Format2 in query2.spl file --> search= "| search index=myIndex ...." up to 500000 char -- difference with 3 is quotes position)
error {"messages":[{"type":"ERROR","text":"Error in 'SearchParser': Missing a search command before '\"'. Error at position '0' of search query '\"| search index...."
curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d search=@query2.spl
(Format2 in query2.spl file --> "| search index=myIndex ...." up to 500000 char -- difference with 3 is quotes position)
error {"messages":[{"type":"ERROR","text":"Error in 'SearchParser': Missing a search command before '@'. Error at position '0' of search query '@query2.spl'.","help":""}]}

Re: How to use @myFile.spl to query Splunk API?

victorsalazar — Fri, 22 Sep 2023 14:41:04 GMT

Hello All

I was able to solve this issue, I was digging on cURL capabilities and the answer is cURL -K configFile.

Below is how it works:

First suppose you require to send an extremely long query to Splunk API from your app or script with your cURL command (SPL search command in my case 121852 chars)

1. curl command

curl -K query.spl --noproxy '*' -H "Authorization: Splunk myTOKEN" https://mySearchHEAD:8089/servicesNS/admin/search/search/jobs

### --noproxy '*' it is optional and depends on your network setup

2. Your config file query.spl content and synaxis

[someUser@algunServidor:~/myDirectorio]$ more query.spl

-d exec_mode=oneshot ## this can be normal
-d output_mode=json ## this can be xml or csv

-d "search=| search index=myIndex sourcetype=mySourcetype _raw=*somethingIamLooking for* field1=something1 field2=something2 .... fieldN=somethingN earliest=-1h latest=now"

### really important to pay attention to the quotes in red above you need them to make it work.

I hope this help someone 🙂

topic Re: How to use @myFile.spl to query Splunk API? in Security

How to use @myFile.spl to query Splunk API?

Re: How to use @myFile.spl to query Splunk API?