Getting Data In

Can I use REST API without curl?

pkd18
Engager

Is there a way I can make REST API calls to Splunk to run a search and return data on JSON via webservice rather than use curl?

Basically, I need the HTTP URL equivalent for below that would work when invoked via javascript or when put into a browser:

curl -u usr:psd -k https://xx.xx.xx.xx:xxxxx/services/search/jobs/export -d search="search index=xxx earliest=-15m latest=now "xyz123"| table c1, c2" -d output_mode=json
0 Karma

duddukuri
Explorer

By using the below implementation, able to query the Splunk with Rest API without using Splunk Java SDK

String uri = "https://****:8089/services/search/jobs/export?search=search ID=d19b7c20-22e2-4832-883e-8df3907fedc0 |sort by fieldname @timestamp";

import org.springframework.http.ResponseEntity;
import org.springframework.http.client.support.BasicAuthenticationInterceptor;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;

public class RestSplunkClient{
public String get(String uri, String username, String password) {
RestTemplate restTemplate = new RestTemplate();
if(null!=username && null!=password && !username.isEmpty() && !password.isEmpty()) {
restTemplate.getInterceptors().add(new BasicAuthenticationInterceptor(username, password));
}
UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(uri);
ResponseEntity response =restTemplate.getForEntity(builder.build().toUriString(), String.class);
return response.getBody();
}
}

0 Karma

jlemley
Path Finder

Theoretically, you could generate a URL like this and run it in your browser - Splunk will prompt you to log in:

https://xx.xx.xx.xx:xxxxx/services/search/jobs/export?output_mode=json&search=search%20index=xxx%20e...

Here is a jQuery AJAX example of how you can do API calls, although it's not recommended to do it this way because of the security concerns with passing a username and password through a browser. If you can generate your security token from a cURL call first, then pass that to the js script, that would be better. But for the sake of completeness:

First, get the auth token:

var settings = {
  "url": "https://xx.xx.xx.xx:xxxxx/services/auth/login",
  "method": "POST",
  "headers": {
    "Content-Type": "application/x-www-form-urlencoded"
  },
  "data": {
    "username": "myuser",
    "password": "mypw"
  }
}

$.ajax(settings).done(function (response) {
  var thisIsMyAuthToken = response; // this part needs refined to grab the sessionKey component
});

Then do the search request:

var settings = {
  "url": "https://xx.xx.xx.xx:xxxxx/services/search/jobs/export?output_mode=json&search=search%20index=xxx%20earliest=-15m%20latest=now%20%22xyz123%22|%20table%20c1,%20c2,
  "method": "GET",
  "headers": {
    "Authorization": "Splunk " +  thisIsMyAuthToken,
    "Content-Type": "application/x-www-form-urlencoded"
  }
}

$.ajax(settings).done(function (response) {
  console.log(response);
});

This test was generated in Postman, which I highly recommend for any API testing.

duddukuri
Explorer

how about the same URL with user credentials in calling this from Java without Splunk SDK??

0 Karma

gjanders
SplunkTrust
SplunkTrust

The search REST API reference manual describes two ways to use the jobs/export option

Try for example:

https://localhost:8089/services/search/jobs/export?search=search index=_internal | head 1&output_mode=raw

That worked for me.

0 Karma

duddukuri
Explorer

how about the same URL with user credentials in calling this from Java without Splunk SDK??

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...