topic API Auth and Search Script in Splunk Dev

API Auth and Search Script

martillo_300 — Thu, 25 Apr 2024 19:09:38 GMT

Hello Experts, I'm trying to create a python script to run adhoc searches via a api request but the documentation has me opening webpages after webpages. I've created a token already. Can someone please help me with this task? Thank you in advance,Splunk Search

Re: API Auth and Search Script

marnall — Thu, 25 Apr 2024 19:41:32 GMT

Try modifying this CURL request to your needs (adjust the endpoint, search, and token)

curl -k -H 'Authorization: Splunk <your_token_here>' https://your_searchhead_here:8089/services/search/v2/jobs/export -d search="search index=* | head 10 | table host"

Re: API Auth and Search Script

martillo_300 — Thu, 25 Apr 2024 21:20:58 GMT

Thanks. Is there a count that I can limit this to? I makes the call but never comes back with data where I have to kill the process.

Re: API Auth and Search Script

marnall — Fri, 26 Apr 2024 18:54:11 GMT

The /export endpoint will dispatch a search and then retrieve the results when the search is completed. If the search takes a lot of time, then likely the request will time out. You can either make your search faster or you can use two endpoints, one where you dispatch the search and another endpoint where you later retrieve the results.

To dispatch the search:

curl -k -H 'Authorization: Splunk <your_token_here>' https://your_searchhead_here:8089/services/search/jobs -d search="search index=* | head 10 | table host"

The above call will return you a search id (sid), which you'll need in the following call to retrieve the results:

curl -k -H 'Authorization: Splunk <your_token_here>' https://your_searchhead_here:8089/services/search/<yoursidhere>/results

Ref: https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches

Re: API Auth and Search Script

martillo_300 — Mon, 29 Apr 2024 12:52:13 GMT

That worked! Thank you so much. This is exactly what I was needing.