Building for the Splunk Platform

How to get REST API to respond with simple XML?

yuanliu
SplunkTrust
SplunkTrust

Using a really basic search like the one illustrated in Example: Create a search, my freshly installed 8.1.2 responds with a lot more unrelated information in a format that is very different from exemplified in the document, i.e., something like

<?xml version='1.0' encoding='UTF-8'?>
<response>
  <sid>1258421375.19</sid>
</response> 

 (which was also how an older server responded.) Instead, the new server's response is like

 

<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>jobs</title>
  <id>https://myserver:8089/services/search/jobs</id>
  <updated>2021-03-15T22:56:36+00:00</updated>
  <generator build="545206cc9f70" version="8.1.2"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>0</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <entry>
    <title>| archivebuckets</title>
    <id>https://myserver:8089/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</id>
    <updated>2021-03-15T22:17:01.161+00:00</updated>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1" rel="alternate"/>
    <published>2021-03-15T22:17:00.000+00:00</published>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search.log" rel="search.log"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search_telemetry.json" rel="search_telemetry.json"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/events" rel="events"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results" rel="results"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results_preview" rel="results_preview"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/timeline" rel="timeline"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/summary" rel="summary"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/control" rel="control"/>
    <author>
      <name>splunk-system-user</name>
    </author>
    <content type="text/xml">
      <s:dict>
        <s:key name="canSummarize">0</s:key>
        <s:key name="cursorTime">1970-01-01T00:00:00.000+00:00</s:key>
        <s:key name="defaultSaveTTL">604800</s:key>
        <s:key name="defaultTTL">600</s:key>
        <s:key name="delegate">scheduler</s:key>
        <s:key name="diskUsage">53248</s:key>
        <s:key name="dispatchState">DONE</s:key>
        <s:key name="doneProgress">1.00000</s:key>
        <s:key name="dropCount">0</s:key>
        <s:key name="earliestTime">1970-01-01T00:00:00.000+00:00</s:key>
        <s:key name="eventAvailableCount">0</s:key>
        <s:key name="eventCount">0</s:key>
        <s:key name="eventFieldCount">0</s:key>
        <s:key name="eventIsStreaming">1</s:key>
        <s:key name="eventIsTruncated">0</s:key>
        <s:key name="eventSearch">archivebuckets </s:key>
        <s:key name="eventSorting">none</s:key>
        <s:key name="isBatchModeSearch">0</s:key>
        <s:key name="isDone">1</s:key>
        <s:key name="isEventsPreviewEnabled">0</s:key>
        <s:key name="isFailed">0</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isPaused">0</s:key>
        <s:key name="isPreviewEnabled">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isRemoteTimeline">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isSavedSearch">1</s:key>
        <s:key name="isTimeCursored">0</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="keywords"></s:key>
        <s:key name="label">Bucket Copy Trigger</s:key>
        <s:key name="latestTime">2021-03-15T22:17:00.000+00:00</s:key>
        <s:key name="normalizedSearch"></s:key>
        <s:key name="numPreviews">0</s:key>
        <s:key name="optimizedSearch">| archivebuckets</s:key>
        <s:key name="phase0"></s:key>
        <s:key name="phase1">archivebuckets  | timeliner  remote=0 partial_commits=0 max_events_per_bucket=500000 fieldstats_update_maxperiod=60 bucket=0</s:key>
        <s:key name="pid">825113</s:key>
        <s:key name="priority">5</s:key>
        <s:key name="provenance">scheduler</s:key>
        <s:key name="remoteSearch"></s:key>
        <s:key name="reportSearch"></s:key>
        <s:key name="resultCount">0</s:key>
        <s:key name="resultIsStreaming">1</s:key>
        <s:key name="resultPreviewCount">0</s:key>
        <s:key name="runDuration">0.89</s:key>
        <s:key name="sampleRatio">1</s:key>
        <s:key name="sampleSeed">0</s:key>
        <s:key name="savedSearchLabel">{"owner":"nobody","app":"splunk_archiver","sharing":"app"}</s:key>
        <s:key name="scanCount">0</s:key>
        <s:key name="search">| archivebuckets</s:key>
        <s:key name="searchCanBeEventType">0</s:key>
        <s:key name="searchLatestTime">1615846620.000000000</s:key>
        <s:key name="searchTotalBucketsCount">0</s:key>
        <s:key name="searchTotalEliminatedBucketsCount">0</s:key>
        <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>
        <s:key name="statusBuckets">0</s:key>
        <s:key name="ttl">4825</s:key>
        <s:key name="performance">
          <s:dict>
            <s:key name="command.archivebuckets">
              <s:dict>
                <s:key name="duration_secs">0.858</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">0</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.timeliner">
              <s:dict>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">0</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.createdSearchResultInfrastructure">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.archivebuckets">
              <s:dict>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.finalWriteToDisk">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.readEventsInResults">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.timeline">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.writeStatus">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="startup.configuration">
              <s:dict>
                <s:key name="duration_secs">0.02</s:key>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
            <s:key name="startup.handoff">
              <s:dict>
                <s:key name="duration_secs">0.092</s:key>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="messages">
          <s:dict/>
        </s:key>
        <s:key name="request">
          <s:dict>
            <s:key name="auto_cancel">0</s:key>
            <s:key name="auto_pause">0</s:key>
            <s:key name="buckets">0</s:key>
            <s:key name="earliest_time"></s:key>
            <s:key name="index_earliest"></s:key>
            <s:key name="index_latest"></s:key>
            <s:key name="indexedRealtime"></s:key>
            <s:key name="indexedRealtimeMinSpan"></s:key>
            <s:key name="indexedRealtimeOffset"></s:key>
            <s:key name="latest_time">now</s:key>
            <s:key name="lookups">1</s:key>
            <s:key name="max_count">500000</s:key>
            <s:key name="max_time">0</s:key>
            <s:key name="reduce_freq">10</s:key>
            <s:key name="rt_backfill">0</s:key>
            <s:key name="rt_maximum_span"></s:key>
            <s:key name="sample_ratio">1</s:key>
            <s:key name="spawn_process">1</s:key>
            <s:key name="time_format">%FT%T.%Q%:z</s:key>
            <s:key name="ui_dispatch_app"></s:key>
            <s:key name="ui_dispatch_view"></s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                    <s:item>splunk-system-user</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                    <s:item>splunk-system-user</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="owner">splunk-system-user</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="sharing">global</s:key>
            <s:key name="app">splunk_archiver</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="ttl">7200</s:key>
          </s:dict>
        </s:key>
        <s:key name="searchProviders">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
...
  </entry>
  <entry>
...
  </entry>
...
</feed>

 

So instead of one simple <sid/> property in <response/>, the SID is embedded in one of nested <entry><s:dict><s:key/> properties, like <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>. (Even SID format is very different from the document.) In fact, the return is a job list instead of a single job.

I am not sure if this makes a difference: I am using an authorization token to authenticate with the API.  The <author/> of the response, meanwhile, is always splunk-system-user instead of the user that the token belongs to.

Additionally, I am not able to get any output when querying results of the returned SID.  In Splunk Web, all jobs submitted by splunk-system-user shows in application "splunk_archiver" instead of search which is the default application when I search in Splunk Web.  The user to which the authorization token belongs to has role of "user" and default app of "launcher" like any other user.

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

The problem is in my query format.  Search query must be submitted in POST but my query was sent via GET.

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The problem is in my query format.  Search query must be submitted in POST but my query was sent via GET.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...