Getting Data In

How to create Search via REST api in verbose mode ?

shravankumarkus
New Member

I'm firing search query via REST api to get notable events, but the search is not returning all fields available in the event , I see It is running in fast mode.

How to change the search mode when invoking search via REST api

Tags (2)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @shravankumarkusuma,

Use something like this :

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949 -d max_count=50000 -d status_buckets=300 -d adhoc_search_level=verbose 

You can find everything here :https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches

Cheers,
David

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Your time parameter is in the wrong format.

You want latest to be 0 instead of now and try -1h instead of -hr for earliest.

Also when you dispatch a rest search, pay attention to your app context. In all your examples you're dispatching searches from the search and reporting app. If you don't have your search time extractions in that app (props, transforms, etc) OR if the extractions aren't shared globally or with the same user you're doing your rest authentication with, then you will not get the desired results.

jkat54
SplunkTrust
SplunkTrust

You have to dispatch the search first (one POST) and then retrieve the results with a GET. It's two calls plus the auth token call for every search you want to run via rest.

0 Karma

shravankumarkus
New Member

thanks @jkat54
I'm using this for splunk enterprise security, can you please point out the cases where search can fail,
how can we change the app context to get the results everytime

any suggestions on which endpoint for search to use with proper app context so that search won't fail ?

0 Karma

jkat54
SplunkTrust
SplunkTrust
0 Karma

shravankumarkus
New Member

thanks a lot

0 Karma

shravankumarkus
New Member

two ways i'm firing query

method 1:
/services/search/jobs/?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose
exec_mode=oneshot

method 2:
/services/search/jobs/export?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose

both endpoints are not returning all fields of notable event but its working if i get first and then get the events with ?

i don't want to fire another query with sid if i can get in one API request

0 Karma

shravankumarkus
New Member

Hi guys,

thanks for the response

adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint with POST to directly get the results instead of getting and then firing one more request to /search/job/sid/events

i want to directly get results with via exec_mode=oneshot or /export endpoint

will adhoc_search_level work with above two cases

0 Karma

DavidHourani
Super Champion

Hi @shravankumarkusuma,

Use something like this :

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949 -d max_count=50000 -d status_buckets=300 -d adhoc_search_level=verbose 

You can find everything here :https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches

Cheers,
David

0 Karma

shravankumarkus
New Member

thanks for the response

adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint to directly get the results instead of getting and then firing one more request to /search/job/sid/events

i want to directly get results with exec_mode=oneshot or /export endpoint

will adhoc_search_level work with above two cases

0 Karma

DavidHourani
Super Champion

ummm what about adding | fields * or | table * ? As you saw in the doc adhoc_search_levelis for POST not GET

0 Karma

shravankumarkus
New Member

thanks that works

0 Karma

DavidHourani
Super Champion

Most welcome ! Please upvote and accept the answer 🙂

0 Karma

harsmarvania57
Ultra Champion

Which rest api are you using to fire search query , if you are using search/jobs/ then you can use adhoc_search_level = verbose Ref. doc https://docs.splunk.com/Documentation/Splunk/7.3.0/RESTREF/RESTsearch#search.2Fjobs

0 Karma

shravankumarkus
New Member

thanks for the response

adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint to directly get the results instead of getting and then firing one more request to /search/job/sid/events

i want to directly get results with exec_mode=oneshot or /export endpoint

will adhoc_search_level work with above two cases

0 Karma

harsmarvania57
Ultra Champion

Is it possible to share your query and fields you are trying to fetch ?

0 Karma

shravankumarkus
New Member

two ways i'm firing query

method 1:
/services/search/jobs/?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose
exec_mode=oneshot

method 2:
/services/search/jobs/export?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose

both endpoints are not returning all fields of notable event but its working if i get first and then get the events with ?

i don't want to fire another query with sid if i can get in one API request

0 Karma

harsmarvania57
Ultra Champion

In your method 1 remove adhoc_search_level=verbose and as mentioned by @adonio add | fields * at end of your search. I have tested with small set of fields and it is working fine.

0 Karma

shravankumarkus
New Member

thanks, that solves my problem

0 Karma

adonio
Ultra Champion

not sure how to change search mode, however, you can add | fields * after your filtering (index=a sourcetype=b) that will return all fields in fast mode

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...