topic Re: API search query help in Splunk Search

API search query help

thaghost99 — Mon, 07 Jun 2021 21:00:54 GMT

hi me again.

need help.

this search string works perfectly fine when doing search int he gui

this search works fine in SPLUNK APP = XADATA

index=xa_data sourcetype=xaupload Time_!=timestamp earliest=-40m latest=now |timechart span=40m eval(sum(Total_)) by time | eval Total_= sum(NULL) |where NULL > 0

but when i use the same search via API

i am getting this error.

any help will do thank you.

Re: API search query help

venkatasri — Tue, 08 Jun 2021 02:16:47 GMT

Hi @thaghost99

The one you got is not an error 'messages' is an additional information that's being returned by API in outputode=json you can safely ignore it for your case. In this case Your search did not return any results, see the results[] is empty.

To test this further you can set outputmode=raw and execute you won't get any output. Docs not covered how to get rid of these 'messages' in JSON mode.

If the search returns results you see the output as described here - Search endpoint descriptions - Splunk Documentation

----

An upvote would be appreciated if it helps!

Re: API search query help

thaghost99 — Fri, 11 Jun 2021 00:26:46 GMT

@venkatasri

hi thanks for the update. i think i found the problem. i think for some reason. it does not like the PIPE.

when i have the pipe it gives me that error. but when i remove it. it works just fine.

can you help?

Re: API search query help

venkatasri — Fri, 11 Jun 2021 00:50:37 GMT

Hi @thaghost99 PIPE are usually fine, the same SPL that you use in UI can be used in API, expect explicit search command at the beginning of the query. which PIPE you are referring to?

Re: API search query help

thaghost99 — Fri, 11 Jun 2021 01:52:51 GMT

this works....

curl -u admin:admin -k https://xxxx:8089/services/search/jobs --data-urlencode search="search index=xa_data sourcetype=xaupload earliest=-20m latest=now NOT records"

this does not.

curl -u admin:admin -k https://xxx:8089/services/searc h/jobs -d search="search index=xa_data sourcetype=xaupload earliest=-20m latest= now NOT records | table Total_"

NOTE: the Total_ is a valid field. and it works when doing it directly in the web splunk.

Re: API search query help

thaghost99 — Fri, 11 Jun 2021 01:53:47 GMT

@venkatasri

this works....

curl -u admin:admin -k https://xxxx:8089/services/search/jobs --data-urlencode search="search index=xa_data sourcetype=xaupload earliest=-20m latest=now NOT records"

this does not.

curl -u admin:admin -k https://xxx:8089/services/searc h/jobs -d search="search index=xa_data sourcetype=xaupload earliest=-20m latest= now NOT records | table Total_"

NOTE: the Total_ is a valid field. and it works when doing it directly in the web splunk.

Re: API search query help

venkatasri — Fri, 11 Jun 2021 04:17:27 GMT

Hi @thaghost99

As i initially mentioned, the message only appears in json mode regardless PIPE. output_mode=raw/csv never returns such message. See below.

WITH PIPE, message appears.

WITHOUT PIPE, message appears.

------

An upvote would be appreciated if it helps!

Re: API search query help

thaghost99 — Fri, 11 Jun 2021 11:37:35 GMT

@venkatasri

i wish it works. but its empty results.

curl -u admin:admin -k https://xxxx:8089/services/search/jobs/mysearch_1/results --get -d output_mode=raw

should i log a ticket that it dont work?