topic Re: Getting data forwarded in Getting Data In

Getting data forwarded

jgervin — Mon, 14 Nov 2011 05:21:00 GMT

How can I get the data from http://localhost:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%22SOME_COMPUTER_NAME_FROM_FORWARDER%22

I want to get the data that fills the flashtimeline and the logs how do I get this thru the api?

Re: Getting data forwarded

Ayn — Mon, 14 Nov 2011 09:49:25 GMT

There are good tutorials on how to interact with the REST API in the docs. This is a good starting point: http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT

Re: Getting data forwarded

jgervin — Thu, 17 Nov 2011 04:23:46 GMT

The link doesn't help. This is close http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESToutput

But it still doesn't show how to get to the forwarders data by host.

Re: Getting data forwarded

Ayn — Thu, 17 Nov 2011 07:40:13 GMT

Could you be a bit more specific regarding what you want to achieve?

Re: Getting data forwarded

jgervin — Fri, 18 Nov 2011 03:45:13 GMT

Do a search with the following field host="JAdams-LT"

Re: Getting data forwarded

Ayn — Fri, 18 Nov 2011 10:17:58 GMT

What are you missing from the tutorial I linked to? Searching for host="JAdams-LT" is done simply by issuing that as a search query. You need to be much more specific, I'd be glad to help but it's hard to know what your goal is, how far you have come towards achieving it, what works, what doesn't work, etc etc.

Re: Getting data forwarded

jgervin — Sat, 19 Nov 2011 21:06:00 GMT

I want to pull back any logs with the word "Error" found in the sys log of host="JAdams-LT". I want this data by calling the API (NOT thru curl).

Re: Getting data forwarded

Ayn — Sat, 19 Nov 2011 21:33:18 GMT

OK, well you can use any tool you want for the job - curl is just one of them. You could use the Python SDK (https://github.com/splunk/splunk-sdk-python), the Splunk Resource Powershell Resource Kit (https://github.com/splunk/splunk-reskit-powershell), Perl's LWP, anything that lets you perform the necessary steps for interacting with Splunk through the REST API. The steps are outlined in the tutorial.

The search parameter in the post to /services/search/jobs should be "%22search%20host%3D'JAdams-LT'%20AND%20Error%22".

Re: Getting data forwarded

Ayn — Sat, 19 Nov 2011 21:33:57 GMT

You should also consider using the Splunk CLI for achieving the same thing - use "splunk search " at the command line. Perhaps that works for you, I wouldn't know - you're really not providing much details. I hope you find a solution.

Re: Getting data forwarded

jgervin — Sat, 19 Nov 2011 22:27:09 GMT

Ok this works for me using curl, but I need a URL with params that does the same thing.

curl -k -u admin:secretpassword -d 'search="search error | head 10"' -d "output_mode=csv"
https://localhost:8089/servicesNS/admin/search/search/jobs/export

Re: Getting data forwarded

Ayn — Sat, 19 Nov 2011 22:39:54 GMT

Parameters such as search queries etc are sent as POST data only when interacting with the REST API. There are no corresponding GET parameters that do the same thing.