I'm using a REST API broker platform and it's running Splunk searches. All of my searches I've ran come out the exact same way they do in the Splunk UI, except when I try to run an ldapsearch.
Command being sent:
| ldapsearch search="(&(objectclass=user)(objectcategory=user)
| search userPrincipalName
| table fieldICareabout | rex mode=sed field=fieldICareAbout "s/(.*\/)//"
I recognize that this command has to be the first command, so how do I send a command like this via API if "search" is appended to every search?
I get the FATAL error
message: Error in 'ldapsearch' command: This command must be the first command of a search.
So to test your error, I just tried to curl something that would throw a FATAL, but it should raise that
1 - curl -u admin:**** -k https://localhost:8094/services/search/jobs -d search="| ldapsearch "
Then get the job id and grab the results
2 - curl -u admin:****-k https://localhost:8094/services/search/jobs/1520586227.6682/results/ --get -d output_mode=csv
<msg type="FATAL">Error in 'ldapsearch' command: command="ldapsearch", A value for "search" is required</msg>
So my point here is what you are passing to the REST endpoint services/search/jobs is probably not well formatted.
Can you try that command the way I did passing it in the command line, so we can debug that option out?
Can you post the code that you're using to submit the API request? You should be fine if you start the query with | (no space before it).