Getting Data In

Can you retrieve the /results/ endpoint using |REST instead of a curl?

Path Finder

Hi all,

Before I dive into the issue, I'd like to explain the goal:

I have a search that returns some fields including an SID. From there I am attempting a left join on the SID to include the results by using the |REST endpoint. I've successfully returned results via a curl, but as of yet I have not succeeded using |REST.

I have attempted these tests on both expired and non-expired SIDs.

Below is an example of successfully returning results via curl:

curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/resu...

If I run the following, I successfully retrieve all the various metadata about the search's dispatch itself:

| REST /servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/

However, when I attempt to retrieve the results with the following, I get an error about failing to fetch the rest endpoint:

| REST /servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/results

I've also tried various forms of GET as described here:

All of this leads me to believe that this is not possible and that the |REST command does not have access to all of the endpoints available via curl. If this is the case, is there a way to do what I'm attempting in another fashion, or do I need to resort to a script? A script is possible, but ideally, I'd like to keep it entirely in SPL.

Edit: We are also considering using |loadjob but the sid argument seems to treat fields as literal strings. specifying savedsearch= has potential, but requires a user:app:search definition, which seems clumsy.

0 Karma


While probably not best practice, you can use the map function in conjunction with loadjob (as you mentioned) for a thing like this. Assuming your base result set is not massive, you can store it in a lookup table (haven't tested with KV store but don't see why not) and re-attach it to the results using lookup. If anyone knows how to make map simply append the results like a join instead of replacing the results, please chime in.

YourSearchHere | outputlookup tempForMap.csv
| map search="| loadjob $sid$ | eval sid=$sid$" maxsearches=10
| lookup tempForMap.csv sid OUTPUTNEW

Note that the above assumes your SIDs are in a column called sid. If you can share additional information about the larger objective here, maybe there's a better way.

Please let us know how it's panning out or if you found a better solution.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...