https://community.splunk.com/t5/Splunk-Search/Why-is-rest-command-not-returning-any-data-where-CURL-works/m-p/601631#M209382 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/149908">@eregon</a>&nbsp;,&nbsp;</P><P>Did you figure this one out?&nbsp; I'm having the same issue with one of the instances I look after.</P><P>Can curl OK - but get nothing when trying to run | rest command from SPL.</P><P>Have not seen this issue before - haven't been able to determine the cause as yet.</P> Tue, 14 Jun 2022 02:37:41 GMT MKozanic 2022-06-14T02:37:41Z https://community.splunk.com/t5/Splunk-Search/Why-is-rest-command-not-returning-any-data-where-CURL-works/m-p/591208#M205825 <P>Good morning fellow Splunkthiasts!</P> <P>I am trying to build some dashboard using Splunk REST, unfortunately I can not get the data from certain endpoints when using | rest SPL command, while CURL approach returns what is expected.</P> <P>To be specific, I want to read /services/search/jobs/&lt;SID&gt;/summary endpoint. Following SPL returns 0 results:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| rest /services/search/jobs/1648543133.8/summary</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>When called externally, the endpoint works as expected:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">[2022-03-29 10:46:25] root@splunk1.lab2.local:~# curl -k -u admin:pass https://localhost:8089/services/search/jobs/1648543133.8/summary --get | head % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 15578 100 15578 0 0 661k 0 --:--:-- --:--:-- --:--:-- 661k &lt;?xml version='1.0' encoding='UTF-8'?&gt; &lt;results preview='0'&gt; &lt;meta&gt; &lt;fieldOrder&gt; &lt;field&gt;_bkt&lt;/field&gt; &lt;field&gt;_cd&lt;/field&gt; &lt;field&gt;_eventtype_color&lt;/field&gt; &lt;field&gt;_indextime&lt;/field&gt; &lt;field&gt;_kv&lt;/field&gt; &lt;field&gt;_raw&lt;/field&gt;</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;The same happens with /services/search/jobs/&lt;SID&gt;/results and /services/search/jobs/&lt;SID&gt;/events.</P> <P>When I call /services/search/jobs/ or /services/search/jobs/&lt;SID&gt;, data is returned by both SPL and CURL. I tried this on several Splunk instances with versions ranging from 8.2.3 back to 7.3.3, always using account with admin role - the behavior is always exactly the same.</P> <P>Any hints what I might be missing?</P> Tue, 29 Mar 2022 13:15:22 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-rest-command-not-returning-any-data-where-CURL-works/m-p/591208#M205825 eregon 2022-03-29T13:15:22Z https://community.splunk.com/t5/Splunk-Search/Why-is-rest-command-not-returning-any-data-where-CURL-works/m-p/601631#M209382 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/149908">@eregon</a>&nbsp;,&nbsp;</P><P>Did you figure this one out?&nbsp; I'm having the same issue with one of the instances I look after.</P><P>Can curl OK - but get nothing when trying to run | rest command from SPL.</P><P>Have not seen this issue before - haven't been able to determine the cause as yet.</P> Tue, 14 Jun 2022 02:37:41 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-rest-command-not-returning-any-data-where-CURL-works/m-p/601631#M209382 MKozanic 2022-06-14T02:37:41Z https://community.splunk.com/t5/Splunk-Search/Why-is-rest-command-not-returning-any-data-where-CURL-works/m-p/602066#M209558 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/169934">@MKozanic</a> , unfortunately not yet. I got some hints from Splunk expert at .conf, so I'll try and see.</P><P>However, you mention you have this issue on one of your instances - does that mean you have some instances where | rest works as expected?</P> Thu, 16 Jun 2022 12:39:19 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-rest-command-not-returning-any-data-where-CURL-works/m-p/602066#M209558 eregon 2022-06-16T12:39:19Z https://community.splunk.com/t5/Splunk-Search/Why-is-rest-command-not-returning-any-data-where-CURL-works/m-p/602082#M209566 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/149908">@eregon</a>&nbsp;,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/169934">@MKozanic</a>&nbsp;- These endpoints that you mentioned definitely don't work with SPL command, I can confirm that.</P><P>Now, this could be a bug or intentionally not implemented stuff. I'm not sure. But you can do some of these with other SPL functionalities.&nbsp;</P><P>Like, you could fetch the results with loadjob command.</P><LI-CODE lang="markup">| loadjob 1655385534.107304</LI-CODE><P>&nbsp;</P><P>I would suggest you to change your direction of search. Whatever data you want try to see if there is a separate SPL command to get it.</P><P>References:</P><UL><LI><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commandsbycategory" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commandsbycategory</A></LI><LI><A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Loadjob" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Loadjob</A></LI><LI>And Splunk Answers</LI></UL><P>&nbsp;</P><P>I hope this helps!!!</P> Thu, 16 Jun 2022 13:40:23 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-rest-command-not-returning-any-data-where-CURL-works/m-p/602082#M209566 VatsalJagani 2022-06-16T13:40:23Z