topic Re: Problems using the REST API to search in Getting Data In

Problems using the REST API to search

merritsa — Wed, 25 Jan 2012 21:18:43 GMT

Hello,

I have several questions/issues with the Splunk API, so I'll try to keep this short and concise.

First - does splunk offer a WSDL? That would really solve all this for me. If not, then here's my next question of many:

What's causing this error?

Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the left hand side./s:item

I get that when I attempt to call the Splunk API with an HP OO HTTP Client GET operation.

I have ideas for workarounds (including using WMI to run splunk CLI search commands and getting results) but they have their own issues. I'd like to tackle this one first.

Thanks in advance.

Re: Problems using the REST API to search

jensihnow — Wed, 25 Jan 2012 21:32:27 GMT

Maybe it would help if you post your search string to check the syntax. 😉

Re: Problems using the REST API to search

merritsa — Wed, 25 Jan 2012 21:52:21 GMT

Of course, my apologies 🙂 I'm on a conference call and replying to both IM and email too...I'm a terrible multi-tasker.

Here you go...

Post from the HTTP Client POST operation in OO:

https://<splunk_server/services/search/jobs/

search=cdp * | head 10,output_mode=xml

inputValueSet
search=cdp * | head 10,output_mode=xml

inputNameList
search,output

delimeter
,

This returns success and gives me what looks to be an epoch time as a result. I've read that this is the name of the splunk search results (in this case, 1327527878.25639.

Re: Problems using the REST API to search

merritsa — Wed, 25 Jan 2012 21:52:25 GMT

So then I run an HTTP Client GET to get those results, at which point I get the error I originally posted - Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the left hand side./s:item.

It's down in the middle of all the xml output I get as a reply.

Re: Problems using the REST API to search

Damien_Dallimor — Wed, 25 Jan 2012 22:07:54 GMT

Not a WSDL , but an endpoint reference can be found here :

http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTlist

Re: Problems using the REST API to search

merritsa — Wed, 25 Jan 2012 23:05:53 GMT

Thanks, I'll check it out.

Re: Problems using the REST API to search

jensihnow — Thu, 26 Jan 2012 08:16:17 GMT

You created a search job and got a jobid. But if you are going to get the results you got the splunk error. That looks like your search is not send correct to splunk by the request. At http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT is a nice tutorial with some examples:
curl -k -u admin:changeme -d 'search="search error"' https://localhost:8089/servicesNS/admin/search/search/jobs

Maybe the quoting/encoding of your request is wrong.

Re: Problems using the REST API to search

merritsa — Thu, 26 Jan 2012 15:13:52 GMT

So based on that reference page, as far as I can tell, it's formatted correctly. What's the next step to ts this?

Re: Problems using the REST API to search

merritsa — Thu, 26 Jan 2012 15:15:06 GMT

Exactly. Splunk never returns an error on the search itself when I post it.

I'll play with it some more and report back. Thanks.

Re: Problems using the REST API to search

hexx — Fri, 27 Jan 2012 07:15:17 GMT

I would suggest to modify the "search" parameter in your POST request to :

search=search cdp * | head 10

...instead of :

search=cdp * | head 10

...as specified in the REST API reference for the search/jobs endpoint:

Name    Type    Required    Default     Description
search  String  ✓                     The search language string to execute, taking results from the local and remote servers.

Examples:
    "search *" 
    "search * | outputcsv"

(...)

The search string for the search parameter must be prefixed with "search." Thus, it is in the form:

search search_string

(...)

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs \
    --data-urlencode search="search index=_internal source=*/metrics.log" \
    -d id=mysearch_02151949 \
    -d max_count=50000 \
    -d status_buckets=300</code>

The error you are seeing is shown because your search string is the equivalent of typing "=cdp * | head 10" in the Splunkweb search bar, which would indeed have a missing term on the left side of an "=" operand.

This is because the Splunkweb search bar silently appends the search terms you provide to the search commmand, which results in a separate "splunk search" process.

If you compare a search job entry from a Splunkweb ad-hoc search @ https://localhost:8089/services/search/jobs/ with the one generated by your search, you'll see the difference.

Essentially, you'll want to modify your POST request so that the name of the job object you create @ https://localhost:8089/services/search/jobs/ is "search cdp * | head 10" and not "search=cdp * | head 10".

Re: Problems using the REST API to search

hexx — Fri, 27 Jan 2012 20:28:25 GMT

@merritsa: Thank you for accepting my answer. Did my instructions resolve your problem?

Re: Problems using the REST API to search

merritsa — Fri, 27 Jan 2012 20:29:34 GMT

Thanks, this got me a lot closer. I revised the command to instead be search cdp * | head 10,output_mode=xml, since the command "search" seems to be accounted for elsewhere in the post operation input.

Though I still don't seem to have results. Just a lack of an error message. In looking through it, it seems this might be why:

1969-12-31T16:00:00.000-08:00/s:key

I'll try to figure out how to denote a proper search time.

Re: Problems using the REST API to search

hexx — Mon, 28 Sep 2020 10:22:18 GMT

You need to pass the "earliest_time" and "latest_time" parameters in your POST request to do so, just like you did for "search". You can find the specifications of these parameters in the "Request" table of the REST API reference documentation I linked earlier.