Solved: Re: How to create Search via REST api in verbose m...

shravankumarkus · ‎06-06-2019

I'm firing search query via REST api to get notable events, but the search is not returning all fields available in the event , I see It is running in fast mode.

How to change the search mode when invoking search via REST api

DavidHourani · ‎06-06-2019

Hi @shravankumarkusuma,

Use something like this :

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949 -d max_count=50000 -d status_buckets=300 -d adhoc_search_level=verbose

You can find everything here :https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches

Cheers,
David

View solution in original post

jkat54 · ‎06-06-2019

Your time parameter is in the wrong format.

You want latest to be 0 instead of now and try -1h instead of -hr for earliest.

Also when you dispatch a rest search, pay attention to your app context. In all your examples you're dispatching searches from the search and reporting app. If you don't have your search time extractions in that app (props, transforms, etc) OR if the extractions aren't shared globally or with the same user you're doing your rest authentication with, then you will not get the desired results.

jkat54 · ‎06-06-2019

You have to dispatch the search first (one POST) and then retrieve the results with a GET. It's two calls plus the auth token call for every search you want to run via rest.

shravankumarkus · ‎06-06-2019

thanks @jkat54
I'm using this for splunk enterprise security, can you please point out the cases where search can fail,
how can we change the app context to get the results everytime

any suggestions on which endpoint for search to use with proper app context so that search won't fail ?

jkat54 · ‎06-06-2019

It's all documented here:
https://docs.splunk.com/Documentation/Splunk/7.2.6/RESTREF/RESTprolog

shravankumarkus · ‎06-06-2019

thanks a lot

shravankumarkus · ‎06-06-2019

two ways i'm firing query

method 1:
/services/search/jobs/?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose
exec_mode=oneshot

method 2:
/services/search/jobs/export?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose

both endpoints are not returning all fields of notable event but its working if i get first and then get the events with ?

i don't want to fire another query with sid if i can get in one API request

shravankumarkus · ‎06-06-2019

Hi guys,

thanks for the response

adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint with POST to directly get the results instead of getting and then firing one more request to /search/job/sid/events

i want to directly get results with via exec_mode=oneshot or /export endpoint

will adhoc_search_level work with above two cases

DavidHourani · ‎06-06-2019

Hi @shravankumarkusuma,

Use something like this :

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949 -d max_count=50000 -d status_buckets=300 -d adhoc_search_level=verbose

You can find everything here :https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches

Cheers,
David

shravankumarkus · ‎06-06-2019

thanks for the response

adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint to directly get the results instead of getting and then firing one more request to /search/job/sid/events

i want to directly get results with exec_mode=oneshot or /export endpoint

will adhoc_search_level work with above two cases

DavidHourani · ‎06-06-2019

ummm what about adding | fields * or | table * ? As you saw in the doc adhoc_search_levelis for POST not GET

shravankumarkus · ‎06-06-2019

thanks that works

DavidHourani · ‎06-06-2019

Most welcome ! Please upvote and accept the answer 🙂

harsmarvania57 · ‎06-06-2019

Which rest api are you using to fire search query , if you are using search/jobs/ then you can use adhoc_search_level = verbose Ref. doc https://docs.splunk.com/Documentation/Splunk/7.3.0/RESTREF/RESTsearch#search.2Fjobs

shravankumarkus · ‎06-06-2019

thanks for the response

adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint to directly get the results instead of getting and then firing one more request to /search/job/sid/events

i want to directly get results with exec_mode=oneshot or /export endpoint

will adhoc_search_level work with above two cases

harsmarvania57 · ‎06-06-2019

Is it possible to share your query and fields you are trying to fetch ?

shravankumarkus · ‎06-06-2019

two ways i'm firing query

method 1:
/services/search/jobs/?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose
exec_mode=oneshot

method 2:
/services/search/jobs/export?output_mode=json

request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose

both endpoints are not returning all fields of notable event but its working if i get first and then get the events with ?

i don't want to fire another query with sid if i can get in one API request

harsmarvania57 · ‎06-06-2019

In your method 1 remove adhoc_search_level=verbose and as mentioned by @adonio add | fields * at end of your search. I have tested with small set of fields and it is working fine.

shravankumarkus · ‎06-06-2019

thanks, that solves my problem

adonio · ‎06-06-2019

not sure how to change search mode, however, you can add | fields * after your filtering (index=a sourcetype=b) that will return all fields in fast mode

How to create Search via REST api in verbose mode ?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation