topic Re: How to create Search via REST api in verbose mode ? in Getting Data In

How to create Search via REST api in verbose mode ?

shravankumarkus — Thu, 06 Jun 2019 10:20:15 GMT

I'm firing search query via REST api to get notable events, but the search is not returning all fields available in the event , I see It is running in fast mode.

How to change the search mode when invoking search via REST api

Re: How to create Search via REST api in verbose mode ?

adonio — Thu, 06 Jun 2019 11:58:18 GMT

not sure how to change search mode, however, you can add | fields * after your filtering (index=a sourcetype=b) that will return all fields in fast mode

Re: How to create Search via REST api in verbose mode ?

harsmarvania57 — Thu, 06 Jun 2019 12:10:36 GMT

Which rest api are you using to fire search query , if you are using search/jobs/ then you can use adhoc_search_level = verbose Ref. doc https://docs.splunk.com/Documentation/Splunk/7.3.0/RESTREF/RESTsearch#search.2Fjobs

Re: How to create Search via REST api in verbose mode ?

DavidHourani — Thu, 06 Jun 2019 12:18:01 GMT

Hi @shravankumarkusuma,

Use something like this :

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949 -d max_count=50000 -d status_buckets=300 -d adhoc_search_level=verbose

You can find everything here :https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches

Cheers,
David

Re: How to create Search via REST api in verbose mode ?

shravankumarkus — Wed, 30 Sep 2020 00:48:18 GMT

Hi guys,

thanks for the response

adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint with POST to directly get the results instead of getting and then firing one more request to /search/job/sid/events

i want to directly get results with via exec_mode=oneshot or /export endpoint

will adhoc_search_level work with above two cases

Re: How to create Search via REST api in verbose mode ?

shravankumarkus — Wed, 30 Sep 2020 00:48:21 GMT

thanks for the response

adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint to directly get the results instead of getting and then firing one more request to /search/job/sid/events

i want to directly get results with exec_mode=oneshot or /export endpoint

will adhoc_search_level work with above two cases

Re: How to create Search via REST api in verbose mode ?

shravankumarkus — Wed, 30 Sep 2020 00:48:23 GMT

thanks for the response

i want to directly get results with exec_mode=oneshot or /export endpoint

will adhoc_search_level work with above two cases

Re: How to create Search via REST api in verbose mode ?

harsmarvania57 — Thu, 06 Jun 2019 12:27:29 GMT

Is it possible to share your query and fields you are trying to fetch ?

Re: How to create Search via REST api in verbose mode ?

shravankumarkus — Wed, 30 Sep 2020 00:48:26 GMT

two ways i'm firing query

method 1:
/services/search/jobs/?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose
exec_mode=oneshot

method 2:
/services/search/jobs/export?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose

both endpoints are not returning all fields of notable event but its working if i get first and then get the events with ?

i don't want to fire another query with sid if i can get in one API request

Re: How to create Search via REST api in verbose mode ?

shravankumarkus — Wed, 30 Sep 2020 00:48:29 GMT

two ways i'm firing query

method 1:
/services/search/jobs/?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose
exec_mode=oneshot

method 2:
/services/search/jobs/export?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose

both endpoints are not returning all fields of notable event but its working if i get first and then get the events with ?

i don't want to fire another query with sid if i can get in one API request

Re: How to create Search via REST api in verbose mode ?

DavidHourani — Thu, 06 Jun 2019 12:41:20 GMT

ummm what about adding | fields * or | table * ? As you saw in the doc adhoc_search_levelis for POST not GET

Re: How to create Search via REST api in verbose mode ?

harsmarvania57 — Thu, 06 Jun 2019 13:05:19 GMT

In your method 1 remove adhoc_search_level=verbose and as mentioned by @adonio add | fields * at end of your search. I have tested with small set of fields and it is working fine.

Re: How to create Search via REST api in verbose mode ?

jkat54 — Thu, 06 Jun 2019 13:50:16 GMT

Your time parameter is in the wrong format.

You want latest to be 0 instead of now and try -1h instead of -hr for earliest.

Also when you dispatch a rest search, pay attention to your app context. In all your examples you're dispatching searches from the search and reporting app. If you don't have your search time extractions in that app (props, transforms, etc) OR if the extractions aren't shared globally or with the same user you're doing your rest authentication with, then you will not get the desired results.

Re: How to create Search via REST api in verbose mode ?

jkat54 — Thu, 06 Jun 2019 13:53:41 GMT

You have to dispatch the search first (one POST) and then retrieve the results with a GET. It's two calls plus the auth token call for every search you want to run via rest.

Re: How to create Search via REST api in verbose mode ?

shravankumarkus — Fri, 07 Jun 2019 05:06:55 GMT

thanks that works

Re: How to create Search via REST api in verbose mode ?

shravankumarkus — Fri, 07 Jun 2019 05:12:03 GMT

thanks @jkat54
I'm using this for splunk enterprise security, can you please point out the cases where search can fail,
how can we change the app context to get the results everytime

any suggestions on which endpoint for search to use with proper app context so that search won't fail ?

Re: How to create Search via REST api in verbose mode ?

shravankumarkus — Fri, 07 Jun 2019 05:13:05 GMT

thanks, that solves my problem

Re: How to create Search via REST api in verbose mode ?

jkat54 — Fri, 07 Jun 2019 05:14:48 GMT

It's all documented here:
https://docs.splunk.com/Documentation/Splunk/7.2.6/RESTREF/RESTprolog

Re: How to create Search via REST api in verbose mode ?

shravankumarkus — Fri, 07 Jun 2019 05:26:43 GMT

thanks a lot

Re: How to create Search via REST api in verbose mode ?

DavidHourani — Fri, 07 Jun 2019 05:31:40 GMT

Most welcome ! Please upvote and accept the answer 🙂