Getting Data In

Can you retrieve the /results/ endpoint using |REST instead of a curl?

Path Finder

Hi all,

Before I dive into the issue, I'd like to explain the goal:

I have a search that returns some fields including an SID. From there I am attempting a left join on the SID to include the results by using the |REST endpoint. I've successfully returned results via a curl, but as of yet I have not succeeded using |REST.

I have attempted these tests on both expired and non-expired SIDs.

Below is an example of successfully returning results via curl:

curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/resu...

If I run the following, I successfully retrieve all the various metadata about the search's dispatch itself:

| REST /servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/

However, when I attempt to retrieve the results with the following, I get an error about failing to fetch the rest endpoint:

| REST /servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/results

I've also tried various forms of GET as described here:

All of this leads me to believe that this is not possible and that the |REST command does not have access to all of the endpoints available via curl. If this is the case, is there a way to do what I'm attempting in another fashion, or do I need to resort to a script? A script is possible, but ideally, I'd like to keep it entirely in SPL.

Edit: We are also considering using |loadjob but the sid argument seems to treat fields as literal strings. specifying savedsearch= has potential, but requires a user:app:search definition, which seems clumsy.

0 Karma


While probably not best practice, you can use the map function in conjunction with loadjob (as you mentioned) for a thing like this. Assuming your base result set is not massive, you can store it in a lookup table (haven't tested with KV store but don't see why not) and re-attach it to the results using lookup. If anyone knows how to make map simply append the results like a join instead of replacing the results, please chime in.

YourSearchHere | outputlookup tempForMap.csv
| map search="| loadjob $sid$ | eval sid=$sid$" maxsearches=10
| lookup tempForMap.csv sid OUTPUTNEW

Note that the above assumes your SIDs are in a column called sid. If you can share additional information about the larger objective here, maybe there's a better way.

Please let us know how it's panning out or if you found a better solution.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.