Getting Data In

How to execute searches with auth token, using the Webtools Add-on

splunker686
Explorer

Hi @jkat54, thank you for creating this wonderful app.  I have a use case that requires executing remote searches from one independent search head to another search head, with the use of auth tokens.  

I am able to do so using the linux curl command, using the following command syntax:

 

curl -k -H "Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR0eXAiOiJzdGF0aWMifQ.eyJpc" https://localhost:8089/services/search/jobs/export -d output_mode=csv -d search="search index=_internal | head 10"

 

I would like to know how I can translate the above syntax into search command, leveraging the webtools add-on.   Thanks in advance for your help.

 

Tags (1)
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Did you see the examples on the splunkbase details tab?

the one below matches what you're doing:

  • Setting a Custom Header & Test Data:
    | makeresults count=1
    | eval header="{\"content-type\":\"application/json\"}"
    | eval data="{\"test data\":\"DATA\"}"
    | curl method=post uri=https://localhost:8089/services user=admin pass=changeme debug=true headerfield=header datafield=data

View solution in original post

jkat54
SplunkTrust
SplunkTrust

Did you see the examples on the splunkbase details tab?

the one below matches what you're doing:

  • Setting a Custom Header & Test Data:
    | makeresults count=1
    | eval header="{\"content-type\":\"application/json\"}"
    | eval data="{\"test data\":\"DATA\"}"
    | curl method=post uri=https://localhost:8089/services user=admin pass=changeme debug=true headerfield=header datafield=data

splunker686
Explorer

Thank you @jkat54 for your tip.  This seems to work as expected now:

 

| makeresults count=1
| eval header="{\"content-type\":\"application/json\",\"Authorization\":\"Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR0eXAiOiJzdGF0aWMifQ.eyJpc...\"}"
| eval data="{\"search\":\"search index=_internal source=*splunkd.log | head 10 | table _raw\",\"output_mode\":\"csv\"}"
| curl method=get uri=https://localhost:8089/services/search/jobs/export headerfield=header datafield=data

 

Screen Shot 2021-10-05 at 12.31.30 PM.png

Thanks again for this useful tool.  Please keep up the good work. 🙏

jkat54
SplunkTrust
SplunkTrust

Great!  Thanks for accepting my answer and smashing the thumbs up button!

Happy POWER splunking!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Make sure you rotate auth tokens for that account or restart splunk on that host.  You have the whole token shown in the image.

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...