https://community.splunk.com/t5/Splunk-Dev/Splunk-REST-API-Validate-SPL/m-p/593355#M10304 <P>You can use /services/search/parser to validate SPL:</P><P>&nbsp;</P><LI-CODE lang="markup">smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar" https://localhost:8089/services/search/parser | jq . { "remoteSearch": "litsearch (index=foo sourcetype=bar) | fields keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"", "normalizedSearch": "litsearch (index=foo sourcetype=bar) | fields keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"", "remoteTimeOrdered": true, "eventsSearch": "search index=foo sourcetype=bar", "eventsTimeOrdered": true, "eventsStreaming": true, "reportsSearch": "", "isStreamingSearch": true, "canSummarize": false, "commands": [ { "command": "search", "rawargs": "index=foo sourcetype=bar", "pipeline": "streaming", "args": { "search": [ "(index=foo sourcetype=bar)" ] }, "isGenerating": true, "streamType": "SP_STREAM" } ] } smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar | bizzbuzz" https://localhost:8089/services/search/parser | jq . { "messages": [ { "type": "FATAL", "text": "Unknown search command 'bizzbuzz'." } ] } smcmaster@splunk ~ %</LI-CODE><P>&nbsp;</P><P>Successful parsing (such as the first example) results in 200, failure (such as the second example) results in a 400.</P> Mon, 11 Apr 2022 20:57:11 GMT mcmaster 2022-04-11T20:57:11Z https://community.splunk.com/t5/Splunk-Dev/Splunk-REST-API-Validate-SPL/m-p/582098#M10303 <P>Hi all,</P><P>I am working on a project that take SPL input from user. So, i need to be sure that SPL has a correct syntax without making a search with the SPL. I could not see but is there a validator for SPLs?</P> Fri, 21 Jan 2022 22:18:58 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-REST-API-Validate-SPL/m-p/582098#M10303 kirchoff 2022-01-21T22:18:58Z https://community.splunk.com/t5/Splunk-Dev/Splunk-REST-API-Validate-SPL/m-p/593355#M10304 <P>You can use /services/search/parser to validate SPL:</P><P>&nbsp;</P><LI-CODE lang="markup">smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar" https://localhost:8089/services/search/parser | jq . { "remoteSearch": "litsearch (index=foo sourcetype=bar) | fields keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"", "normalizedSearch": "litsearch (index=foo sourcetype=bar) | fields keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"", "remoteTimeOrdered": true, "eventsSearch": "search index=foo sourcetype=bar", "eventsTimeOrdered": true, "eventsStreaming": true, "reportsSearch": "", "isStreamingSearch": true, "canSummarize": false, "commands": [ { "command": "search", "rawargs": "index=foo sourcetype=bar", "pipeline": "streaming", "args": { "search": [ "(index=foo sourcetype=bar)" ] }, "isGenerating": true, "streamType": "SP_STREAM" } ] } smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar | bizzbuzz" https://localhost:8089/services/search/parser | jq . { "messages": [ { "type": "FATAL", "text": "Unknown search command 'bizzbuzz'." } ] } smcmaster@splunk ~ %</LI-CODE><P>&nbsp;</P><P>Successful parsing (such as the first example) results in 200, failure (such as the second example) results in a 400.</P> Mon, 11 Apr 2022 20:57:11 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-REST-API-Validate-SPL/m-p/593355#M10304 mcmaster 2022-04-11T20:57:11Z