Getting Data In

Can I run queries having "search" keyword through Splunk REST API?

New Member

I have a query which uses "subsearch", so it has a search keyword within the query. I get results when I run this query as a normal user but this query returns no data when it is run by a botuser through the rest endpoint. I am not sure if it is due to the "search" keyword in the query or due to some privileges difference between normal user and botuser.

0 Karma

Splunk Employee
Splunk Employee

Hi vijaydudipala88,

Yes, queries can contain the "search" keyword and accessed through REST endpoints. For details, see: http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTREF/RESTsearch

The API supports token-based authentication using the standard HTTP Authorization header. This is the recommended method to programmatically access resources. For details, please refer to documentation here:
http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTUM/RESTusing#Authentication_and_authorization

Hope this helps. Thanks!
Hunter

0 Karma

SplunkTrust
SplunkTrust

Can you post a simplified version of the query here for review?

0 Karma