Getting Data In

Can you retrieve the /results/ endpoint using |REST instead of a curl?

jadamsplunk
Path Finder

Hi all,

Before I dive into the issue, I'd like to explain the goal:

I have a search that returns some fields including an SID. From there I am attempting a left join on the SID to include the results by using the |REST endpoint. I've successfully returned results via a curl, but as of yet I have not succeeded using |REST.

I have attempted these tests on both expired and non-expired SIDs.

Below is an example of successfully returning results via curl:

curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/resu...

If I run the following, I successfully retrieve all the various metadata about the search's dispatch itself:

| REST /servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/

However, when I attempt to retrieve the results with the following, I get an error about failing to fetch the rest endpoint:

| REST /servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/results

I've also tried various forms of GET as described here:

https://docs.splunk.com/Documentation/Splunk/7.0.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D....


All of this leads me to believe that this is not possible and that the |REST command does not have access to all of the endpoints available via curl. If this is the case, is there a way to do what I'm attempting in another fashion, or do I need to resort to a script? A script is possible, but ideally, I'd like to keep it entirely in SPL.

Edit: We are also considering using |loadjob but the sid argument seems to treat fields as literal strings. specifying savedsearch= has potential, but requires a user:app:search definition, which seems clumsy.

0 Karma

afurrowgtri
Explorer

While probably not best practice, you can use the map function in conjunction with loadjob (as you mentioned) for a thing like this. Assuming your base result set is not massive, you can store it in a lookup table (haven't tested with KV store but don't see why not) and re-attach it to the results using lookup. If anyone knows how to make map simply append the results like a join instead of replacing the results, please chime in.

YourSearchHere | outputlookup tempForMap.csv
| map search="| loadjob $sid$ | eval sid=$sid$" maxsearches=10
| lookup tempForMap.csv sid OUTPUTNEW

Note that the above assumes your SIDs are in a column called sid. If you can share additional information about the larger objective here, maybe there's a better way.

Please let us know how it's panning out or if you found a better solution.

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...