Getting Data In

Can I run queries having "search" keyword through Splunk REST API?

New Member

I have a query which uses "subsearch", so it has a search keyword within the query. I get results when I run this query as a normal user but this query returns no data when it is run by a bot_user through the rest endpoint. I am not sure if it is due to the "search" keyword in the query or due to some privileges difference between normal user and bot_user.

0 Karma

Splunk Employee
Splunk Employee

Hi vijaydudipala88,

Yes, queries can contain the "search" keyword and accessed through REST endpoints. For details, see: http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTREF/RESTsearch

The API supports token-based authentication using the standard HTTP Authorization header. This is the recommended method to programmatically access resources. For details, please refer to documentation here:
http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTUM/RESTusing#Authentication_and_authorization

Hope this helps. Thanks!
Hunter

0 Karma

SplunkTrust
SplunkTrust

Can you post a simplified version of the query here for review?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!