topic Re: REST API - Creating a Search in Getting Data In

REST API - Creating a Search

kvmadan — Mon, 03 Feb 2020 14:19:05 GMT

As mentioned in the documentation i am trying to create a search but I'm not getting the expected response.
https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTTUT/RESTsearches#Tips_on_accessing_searches

I'm getting below response.

<title>jobs</title>
<id>https://xyz:8089/services/search/jobs</id>
<updated>2020-02-03T06:11:04-08:00</updated>
<generator build="7af3758d0d5e" version="7.3.3"/>
<author>
    <name>Splunk</name>
</author>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>0</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>

As per the documentation, i am suppose to receive the sid.
Can someone help, what is going wrong?

Re: REST API - Creating a Search

jkat54 — Mon, 03 Feb 2020 21:51:04 GMT

Please share your curl command.

Re: REST API - Creating a Search

somesoni2 — Mon, 03 Feb 2020 22:30:45 GMT

Did you specify the search as show in that documentation page?

Re: REST API - Creating a Search

kvmadan — Tue, 04 Feb 2020 01:47:19 GMT

I'm sending the request through postman
below is what i am sending. .
https://splunk.xyx.net:8089/services/search/jobs?search=sourcetype=sp:wf_log "IAV2testSubmissionDebug" "xyz_time" index=datacenter

and above is the response i got with 200OK.

Re: REST API - Creating a Search

jkat54 — Tue, 04 Feb 2020 02:02:44 GMT

Are you GETing or POSTing?

Re: REST API - Creating a Search

jkat54 — Tue, 04 Feb 2020 02:03:48 GMT

curl -XPOST -k https://..

Re: REST API - Creating a Search

niketn — Tue, 04 Feb 2020 02:46:37 GMT

@kvmadan can you try the following REST API?

https://xyz:8089/servicesNS/-/-/search/jobs

instead of https://xyz:8089/services/search/jobs and confirm?

Re: REST API - Creating a Search

kvmadan — Tue, 04 Feb 2020 03:05:10 GMT

Thank you. I got it now, i think the search should start with search command.
curl -XPOST -k https://splunk.xyz.net:8089/services/search/jobs -d search="search host=datacenter* AND sourcetype=absd:log "IzV2xyzSubmissionDebug" "absd_time" index=datacenter"

Re: REST API - Creating a Search

kvmadan — Tue, 04 Feb 2020 03:37:46 GMT

It doesnt work for me.

Re: REST API - Creating a Search

kvmadan — Tue, 04 Feb 2020 08:21:24 GMT

Another followup question.
I'm able to submit the job but the results are empty once the job's dispatchstate is DONE.
the same search query, when i execute in the Splunk UI, it returns the results.
I also treed limiting the results to last 24h by appending earliest=-24h

Is there anything wrong i am doing?

Re: REST API - Creating a Search

jkat54 — Tue, 04 Feb 2020 10:15:23 GMT

Is your new problem related to knowledge object sharing/permissions and the API namespace you're using?

For example, if your search works in "searching and reporting" app (aka "search") when ran as "username" but doesn't work in "launcher" app... or as another user in search app...

You would use curl.... localhost:port/servicesNS/username/search

If it only works for admin:

/servicesNS/admin/search

Re: REST API - Creating a Search

jkat54 — Tue, 04 Feb 2020 10:16:43 GMT

I converted my comments to an answer, please accept if it helped.

Re: REST API - Creating a Search

kvmadan — Tue, 04 Feb 2020 10:19:02 GMT

No, the search query can work in any app with admin/my user.