Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Dev
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- How to get REST API to respond with simple XML?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
03-15-2021
05:27 PM
Using a really basic search like the one illustrated in Example: Create a search, my freshly installed 8.1.2 responds with a lot more unrelated information in a format that is very different from exemplified in the document, i.e., something like
<?xml version='1.0' encoding='UTF-8'?> <response> <sid>1258421375.19</sid> </response>
(which was also how an older server responded.) Instead, the new server's response is like
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>jobs</title>
<id>https://myserver:8089/services/search/jobs</id>
<updated>2021-03-15T22:56:36+00:00</updated>
<generator build="545206cc9f70" version="8.1.2"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>3</opensearch:totalResults>
<opensearch:itemsPerPage>0</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<entry>
<title>| archivebuckets</title>
<id>https://myserver:8089/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</id>
<updated>2021-03-15T22:17:01.161+00:00</updated>
<link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1" rel="alternate"/>
<published>2021-03-15T22:17:00.000+00:00</published>
<link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search.log" rel="search.log"/>
<link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search_telemetry.json" rel="search_telemetry.json"/>
<link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/events" rel="events"/>
<link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results" rel="results"/>
<link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results_preview" rel="results_preview"/>
<link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/timeline" rel="timeline"/>
<link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/summary" rel="summary"/>
<link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/control" rel="control"/>
<author>
<name>splunk-system-user</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="canSummarize">0</s:key>
<s:key name="cursorTime">1970-01-01T00:00:00.000+00:00</s:key>
<s:key name="defaultSaveTTL">604800</s:key>
<s:key name="defaultTTL">600</s:key>
<s:key name="delegate">scheduler</s:key>
<s:key name="diskUsage">53248</s:key>
<s:key name="dispatchState">DONE</s:key>
<s:key name="doneProgress">1.00000</s:key>
<s:key name="dropCount">0</s:key>
<s:key name="earliestTime">1970-01-01T00:00:00.000+00:00</s:key>
<s:key name="eventAvailableCount">0</s:key>
<s:key name="eventCount">0</s:key>
<s:key name="eventFieldCount">0</s:key>
<s:key name="eventIsStreaming">1</s:key>
<s:key name="eventIsTruncated">0</s:key>
<s:key name="eventSearch">archivebuckets </s:key>
<s:key name="eventSorting">none</s:key>
<s:key name="isBatchModeSearch">0</s:key>
<s:key name="isDone">1</s:key>
<s:key name="isEventsPreviewEnabled">0</s:key>
<s:key name="isFailed">0</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isPaused">0</s:key>
<s:key name="isPreviewEnabled">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isRemoteTimeline">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isSavedSearch">1</s:key>
<s:key name="isTimeCursored">0</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="keywords"></s:key>
<s:key name="label">Bucket Copy Trigger</s:key>
<s:key name="latestTime">2021-03-15T22:17:00.000+00:00</s:key>
<s:key name="normalizedSearch"></s:key>
<s:key name="numPreviews">0</s:key>
<s:key name="optimizedSearch">| archivebuckets</s:key>
<s:key name="phase0"></s:key>
<s:key name="phase1">archivebuckets | timeliner remote=0 partial_commits=0 max_events_per_bucket=500000 fieldstats_update_maxperiod=60 bucket=0</s:key>
<s:key name="pid">825113</s:key>
<s:key name="priority">5</s:key>
<s:key name="provenance">scheduler</s:key>
<s:key name="remoteSearch"></s:key>
<s:key name="reportSearch"></s:key>
<s:key name="resultCount">0</s:key>
<s:key name="resultIsStreaming">1</s:key>
<s:key name="resultPreviewCount">0</s:key>
<s:key name="runDuration">0.89</s:key>
<s:key name="sampleRatio">1</s:key>
<s:key name="sampleSeed">0</s:key>
<s:key name="savedSearchLabel">{"owner":"nobody","app":"splunk_archiver","sharing":"app"}</s:key>
<s:key name="scanCount">0</s:key>
<s:key name="search">| archivebuckets</s:key>
<s:key name="searchCanBeEventType">0</s:key>
<s:key name="searchLatestTime">1615846620.000000000</s:key>
<s:key name="searchTotalBucketsCount">0</s:key>
<s:key name="searchTotalEliminatedBucketsCount">0</s:key>
<s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>
<s:key name="statusBuckets">0</s:key>
<s:key name="ttl">4825</s:key>
<s:key name="performance">
<s:dict>
<s:key name="command.archivebuckets">
<s:dict>
<s:key name="duration_secs">0.858</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">0</s:key>
<s:key name="output_count">0</s:key>
</s:dict>
</s:key>
<s:key name="command.timeliner">
<s:dict>
<s:key name="invocations">1</s:key>
<s:key name="input_count">0</s:key>
<s:key name="output_count">0</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.createdSearchResultInfrastructure">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.archivebuckets">
<s:dict>
<s:key name="invocations">2</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.finalWriteToDisk">
<s:dict>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.readEventsInResults">
<s:dict>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.timeline">
<s:dict>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.writeStatus">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">4</s:key>
</s:dict>
</s:key>
<s:key name="startup.configuration">
<s:dict>
<s:key name="duration_secs">0.02</s:key>
<s:key name="invocations">2</s:key>
</s:dict>
</s:key>
<s:key name="startup.handoff">
<s:dict>
<s:key name="duration_secs">0.092</s:key>
<s:key name="invocations">2</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="messages">
<s:dict/>
</s:key>
<s:key name="request">
<s:dict>
<s:key name="auto_cancel">0</s:key>
<s:key name="auto_pause">0</s:key>
<s:key name="buckets">0</s:key>
<s:key name="earliest_time"></s:key>
<s:key name="index_earliest"></s:key>
<s:key name="index_latest"></s:key>
<s:key name="indexedRealtime"></s:key>
<s:key name="indexedRealtimeMinSpan"></s:key>
<s:key name="indexedRealtimeOffset"></s:key>
<s:key name="latest_time">now</s:key>
<s:key name="lookups">1</s:key>
<s:key name="max_count">500000</s:key>
<s:key name="max_time">0</s:key>
<s:key name="reduce_freq">10</s:key>
<s:key name="rt_backfill">0</s:key>
<s:key name="rt_maximum_span"></s:key>
<s:key name="sample_ratio">1</s:key>
<s:key name="spawn_process">1</s:key>
<s:key name="time_format">%FT%T.%Q%:z</s:key>
<s:key name="ui_dispatch_app"></s:key>
<s:key name="ui_dispatch_view"></s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
<s:item>splunk-system-user</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
<s:item>splunk-system-user</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="owner">splunk-system-user</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="sharing">global</s:key>
<s:key name="app">splunk_archiver</s:key>
<s:key name="can_write">1</s:key>
<s:key name="ttl">7200</s:key>
</s:dict>
</s:key>
<s:key name="searchProviders">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
<entry>
...
</entry>
<entry>
...
</entry>
...
</feed>
So instead of one simple <sid/> property in <response/>, the SID is embedded in one of nested <entry><s:dict><s:key/> properties, like <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>. (Even SID format is very different from the document.) In fact, the return is a job list instead of a single job.
I am not sure if this makes a difference: I am using an authorization token to authenticate with the API. The <author/> of the response, meanwhile, is always splunk-system-user instead of the user that the token belongs to.
Additionally, I am not able to get any output when querying results of the returned SID. In Splunk Web, all jobs submitted by splunk-system-user shows in application "splunk_archiver" instead of search which is the default application when I search in Splunk Web. The user to which the authorization token belongs to has role of "user" and default app of "launcher" like any other user.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
03-15-2021
05:58 PM
The problem is in my query format. Search query must be submitted in POST but my query was sent via GET.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
03-15-2021
05:58 PM
The problem is in my query format. Search query must be submitted in POST but my query was sent via GET.
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
