<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to import data to Splunk via HTTP GET request? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-import-data-to-Splunk-via-HTTP-GET-request/m-p/352074#M64550</link>
    <description>&lt;P&gt;Did your search return anything at all? Normally, with the API you run a search and the query returns a search SID, then you use the SID to query again for the results of the search.&lt;/P&gt;

&lt;P&gt;You would usually build your search as a set of parameters and pass it to an endpoint, and get a SID back from that. Here's an example snippet from some python code I wrote to get bucket info from a dbinspect search:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; params = "search=%7Cdbinspect%20index%3D%2A%20latest%3Dnow%20earliest%3D-99y&amp;amp;exec_mode=blocking"
 url = "https://" + searchhead + ":8089/services/search/jobs/"
 item = json.loads(fetchdata(url,params))
 try:
     sid = str(item['sid'])
 except:
     sys.exit(1)
 url = "https://" + searchhead + ":8089/services/search/jobs/" + sid + "/results/"
 urldata = fetchdata(url)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;You can see the query is in the params variable, and I pass it to the search head (the &lt;CODE&gt;url&lt;/CODE&gt; variable) as a query parameter (the &lt;CODE&gt;fetchdata&lt;/CODE&gt; call). the result is returned to the &lt;CODE&gt;item[]&lt;/CODE&gt; array which I grab the SID from (the try block: &lt;CODE&gt;sid = str item['sid']&lt;/CODE&gt;).&lt;BR /&gt;
Once I have the SID I build a new &lt;CODE&gt;url&lt;/CODE&gt; var with the SID (second from last line in the example) then call it to return the result data.&lt;/P&gt;</description>
    <pubDate>Wed, 20 Sep 2017 14:47:47 GMT</pubDate>
    <dc:creator>sjalexander</dc:creator>
    <dc:date>2017-09-20T14:47:47Z</dc:date>
    <item>
      <title>How to import data to Splunk via HTTP GET request?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-import-data-to-Splunk-via-HTTP-GET-request/m-p/352073#M64549</link>
      <description>&lt;P&gt;I've been looking for a way to import contents from an http get request with Splunk without success. At first, I thought I could do this by using Rest Api section that build-in Splunk. But after I give it a url to do an http get request, my search return no event. I thought this is all I have to do to get content from the page to Splunk. The documentation for this section is very confusing and I don't know where to start. At this point, I don't know if Rest Api is the answer to my question. Does anyone know of a way I could get content with an http get request in Splunk?&lt;/P&gt;</description>
      <pubDate>Wed, 20 Sep 2017 14:26:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-import-data-to-Splunk-via-HTTP-GET-request/m-p/352073#M64549</guid>
      <dc:creator>tamduong16</dc:creator>
      <dc:date>2017-09-20T14:26:47Z</dc:date>
    </item>
    <item>
      <title>Re: How to import data to Splunk via HTTP GET request?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-import-data-to-Splunk-via-HTTP-GET-request/m-p/352074#M64550</link>
      <description>&lt;P&gt;Did your search return anything at all? Normally, with the API you run a search and the query returns a search SID, then you use the SID to query again for the results of the search.&lt;/P&gt;

&lt;P&gt;You would usually build your search as a set of parameters and pass it to an endpoint, and get a SID back from that. Here's an example snippet from some python code I wrote to get bucket info from a dbinspect search:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; params = "search=%7Cdbinspect%20index%3D%2A%20latest%3Dnow%20earliest%3D-99y&amp;amp;exec_mode=blocking"
 url = "https://" + searchhead + ":8089/services/search/jobs/"
 item = json.loads(fetchdata(url,params))
 try:
     sid = str(item['sid'])
 except:
     sys.exit(1)
 url = "https://" + searchhead + ":8089/services/search/jobs/" + sid + "/results/"
 urldata = fetchdata(url)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;You can see the query is in the params variable, and I pass it to the search head (the &lt;CODE&gt;url&lt;/CODE&gt; variable) as a query parameter (the &lt;CODE&gt;fetchdata&lt;/CODE&gt; call). the result is returned to the &lt;CODE&gt;item[]&lt;/CODE&gt; array which I grab the SID from (the try block: &lt;CODE&gt;sid = str item['sid']&lt;/CODE&gt;).&lt;BR /&gt;
Once I have the SID I build a new &lt;CODE&gt;url&lt;/CODE&gt; var with the SID (second from last line in the example) then call it to return the result data.&lt;/P&gt;</description>
      <pubDate>Wed, 20 Sep 2017 14:47:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-import-data-to-Splunk-via-HTTP-GET-request/m-p/352074#M64550</guid>
      <dc:creator>sjalexander</dc:creator>
      <dc:date>2017-09-20T14:47:47Z</dc:date>
    </item>
    <item>
      <title>Re: How to import data to Splunk via HTTP GET request?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-import-data-to-Splunk-via-HTTP-GET-request/m-p/352075#M64551</link>
      <description>&lt;P&gt;in addition you can use workflow actions and alerts to GET / POST http actions as well. Remember, the REST api will poll the GET url continuously at the polling interval. Suggest read up workflow and alert actions as well, but what  @sjalexander is asking is most important - if your rest api integration is not working and not fetching a SID then it could be that you have missed some configuration, are you sure you have passed the tokens / keys needed to fetch data from your GET url? Mostly all api urls will have some authentication mechanism....&lt;/P&gt;</description>
      <pubDate>Wed, 20 Sep 2017 15:37:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-import-data-to-Splunk-via-HTTP-GET-request/m-p/352075#M64551</guid>
      <dc:creator>Sukisen1981</dc:creator>
      <dc:date>2017-09-20T15:37:15Z</dc:date>
    </item>
  </channel>
</rss>

