topic Re: how to get splunk event logs by using rest api in Splunk Cloud Platform

How to get splunk event logs by using rest api?

tcsec2user — Thu, 30 Jun 2022 13:23:26 GMT

Hi Team,

I'm using Splunk cloud REST API "/services/collector/event" used to post the data to Splunk cloud .what is the Get API for fetch the data ?

Re: how to get splunk event logs by using rest api

VatsalJagani — Thu, 30 Jun 2022 09:16:30 GMT

@tcsec2user - To fetch the data you need to execute the SPL search query through REST api.

https://docs.splunk.com/Documentation/Splunk/9.0.0/RESTTUT/RESTsearches

First you need to post the search job

curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search *"

Then you need to check it's status

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/1258421375.19

Once successful you can retrieve the results

curl -u admin:changeme \
     -k https://localhost:8089/services/search/jobs/1258421375.19/results/ \
     --get -d output_mode=csv

You can also use Python Splunk SDK for this. - https://dev.splunk.com/view/python-sdk/SP-CAAAEBB

I hope this helps!!!

Re: how to get splunk event logs by using rest api

tcsec2user — Thu, 30 Jun 2022 09:42:01 GMT

Thanks for your quick response. I have tried same just I have replaced the my URL and credentials but im getting the this below json response

My request:

curl -u test:test -k https://test:8088/services/search/jobs -d search="search *"

Response:

{
"text": "The requested URL was not found on this server.",
"code": 404
}

Re: how to get splunk event logs by using rest api

tcsec2user — Thu, 30 Jun 2022 09:46:24 GMT

Thanks for your quick response. I have tried same just I have replaced the my URL and credentials but im getting the this below json response

My request:

curl -u test:test -k https://test:8088/services/search/jobs -d search="search *"

Response:

{
"text": "The requested URL was not found on this server.",
"code": 404
}

Re: how to get splunk event logs by using rest api

VatsalJagani — Thu, 30 Jun 2022 09:49:22 GMT

Look at the port number it should be 8089.

8088 is the HEC port.

8089 is a management port.

(Though I'm not sure if management port on Splunk cloud would be publicly available or not.)

Re: how to get splunk event logs by using rest api

tcsec2user — Thu, 30 Jun 2022 09:55:15 GMT

I changed and tried different ports numbers and in my global setting is the port number is 8088

Re: how to get splunk event logs by using rest api

PickleRick — Thu, 30 Jun 2022 09:59:09 GMT

8088 != 8089 😉

Re: how to get splunk event logs by using rest api

VatsalJagani — Thu, 30 Jun 2022 09:59:58 GMT

@tcsec2user HEC is totally different than REST API.

REST API is on 8089 (management port)
HEC is on 8088 port.

Re: how to get splunk event logs by using rest api

VatsalJagani — Thu, 30 Jun 2022 10:00:30 GMT

😀

Re: how to get splunk event logs by using rest api

tcsec2user — Thu, 30 Jun 2022 10:06:16 GMT

8089 is also not working.

Re: how to get splunk event logs by using rest api

VatsalJagani — Thu, 30 Jun 2022 10:08:13 GMT

@tcsec2user - What error you are getting with that?

Re: how to get splunk event logs by using rest api

tcsec2user — Thu, 30 Jun 2022 10:29:01 GMT

Im using HEC method .I post the data to Splunk cloud using this URL https://localhost:8088/services/collector/event

then I want fetch that event data ?

I'm using token for authentications not using my username and password .

if I use 8089 as my port number it is not connected to server

using 8088 https://localhost:8088/services/search/jobs?search="search *"

the response is

{

"text": "The requested URL was not found on this server.",

"code": 404

}

Re: how to get splunk event logs by using rest api

VatsalJagani — Thu, 30 Jun 2022 10:57:26 GMT

@tcsec2user -

The first call is for HEC which you are doing is correct.
- I post the data to Splunk cloud using this URL https://localhost:8088/services/collector/event

Then you do a search with the management port:
- https://localhost:8088/services/search/jobs?search="search *"
- Two things need to be corrected here:
  - Port needs to be 8089
    - You said "if I use 8089 as my port number it is not connected to server"
    - This could be due to the management port could be blocked for outside use on the Splunk cloud. I'm not 100% sure. Please check with Splunk Cloud support that I need to use the management port for REST API.
  - Second, "search="search *" is not a param so you need to make a post request and send it as the body.

So start with access to the management port on your Splunk cloud environment, and reach out to Splunk cloud support.

I hope this helps!!!