topic How can I create a search job using the REST API? in Other Usage

How can I create a search job using the REST API?

ww9rivers — Thu, 10 Aug 2023 21:17:52 GMT

Following the documentation here:
https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#Create_a_search_job

I expect that a successful REST API call to endpoint "/services/search/jobs" would return a single job ID as the document shows.

However, in my testing, when the call returns with a status of 200 (success), the response data contains an object, which contains 6 keys: Object.keys(jobId) = (6) ['links', 'origin', 'updated', 'generator', 'entry', 'paging']

where, jobId.entry is an array of hundreds of search jobs -- basically the call to create a search job returned a list of all the jobs in the search head.

The code (JavaScript) is in this public repository:
https://github.com/ww9rivers/splunk-rest-search

Am I missing anything? Thank you for your insights!

Re: Creating a search job using the REST API

isoutamo — Fri, 21 Jul 2023 11:10:20 GMT

I suppose that there is some misunderstanding to use /services vs. /servicesNS endpoints? Maybe that explain how to use those? https://community.splunk.com/t5/Splunk-Search/Why-am-I-receiving-this-Error-while-using-the-rest-in-the-splunk/m-p/594581/highlight/true#M206942

r. Ismo

Re: Creating a search job using the REST API

ww9rivers — Fri, 21 Jul 2023 21:37:42 GMT

No. Actually, in the answer that you linked, you clearly used "/services/search/jobs/" to create the search:

curl -ku <user:pass> https://localhost:8089/services/search/jobs/ -d search=. . .

In my case, I am trying to use the same API endpoint to create a search. My search command is not necessarily a "|rest" , rather, it is something like "| inputcsv <some-results>.csv" for most my use cases.

Thank you for the thoughts.

Re: Creating a search job using the REST API

ww9rivers — Thu, 10 Aug 2023 16:39:43 GMT

There is something missing in my NodeJS code, it seems.

This simple Python3 test works (in creating a search job and returning an sid):

import os import requests # Set up the session with our adapter SEARCH_ENDPOINT = "https://"+os.environ['SPLUNK_HOST']+":8089/services/search/jobs" headers = { 'Authorization': 'Bearer '+os.environ['SPLUNK_TOKEN'], "Accept": "application/json" } params = { "search": "inputcsv search-output.csv", "output_mode": "json" } response = requests.post(SEARCH_ENDPOINT, data=params, headers=headers, verify=True) print(response.text)

But this NodeJS code does not:

With the same SPLUNK_HOST and SPLUNK_TOKEN values, the Python code produces an output like this:

{"sid":"1691684765.268000"}

But the NodeJS example returns an XML document.

Any thoughts are much appreciated!

Re: Creating a search job using the REST API

ww9rivers — Mon, 21 Aug 2023 03:04:49 GMT

Got this figured out! The JS version sent the `body` part wrong: It is not supposed to be JSON encoded but HTTP query string encoded.

The working version is here in GitHub: https://gist.github.com/ww9rivers/dc3fd9ba8d2817b9fc986aa9457a2b61