Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to execute searches with auth token, using the Webtools Add-on

splunker686
Explorer
‎10-05-2021 11:28 AM

Hi @jkat54, thank you for creating this wonderful app.  I have a use case that requires executing remote searches from one independent search head to another search head, with the use of auth tokens.  

I am able to do so using the linux curl command, using the following command syntax:

 

curl -k -H "Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR0eXAiOiJzdGF0aWMifQ.eyJpc" https://localhost:8089/services/search/jobs/export -d output_mode=csv -d search="search index=_internal | head 10"

 

I would like to know how I can translate the above syntax into search command, leveraging the webtools add-on.   Thanks in advance for your help.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎10-05-2021 11:34 AM

Did you see the examples on the splunkbase details tab?

the one below matches what you're doing:

  • Setting a Custom Header & Test Data:
    | makeresults count=1
    | eval header="{\"content-type\":\"application/json\"}"
    | eval data="{\"test data\":\"DATA\"}"
    | curl method=post uri=https://localhost:8089/services user=admin pass=changeme debug=true headerfield=header datafield=data

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎10-05-2021 11:34 AM

Did you see the examples on the splunkbase details tab?

the one below matches what you're doing:

  • Setting a Custom Header & Test Data:
    | makeresults count=1
    | eval header="{\"content-type\":\"application/json\"}"
    | eval data="{\"test data\":\"DATA\"}"
    | curl method=post uri=https://localhost:8089/services user=admin pass=changeme debug=true headerfield=header datafield=data

Reply
Solved! Jump to solution

splunker686
Explorer
‎10-05-2021 12:36 PM

Thank you @jkat54 for your tip.  This seems to work as expected now:

 

| makeresults count=1
| eval header="{\"content-type\":\"application/json\",\"Authorization\":\"Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR0eXAiOiJzdGF0aWMifQ.eyJpc...\"}"
| eval data="{\"search\":\"search index=_internal source=*splunkd.log | head 10 | table _raw\",\"output_mode\":\"csv\"}"
| curl method=get uri=https://localhost:8089/services/search/jobs/export headerfield=header datafield=data

 

Screen Shot 2021-10-05 at 12.31.30 PM.png

Thanks again for this useful tool.  Please keep up the good work. 🙏

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎10-05-2021 01:18 PM

Great!  Thanks for accepting my answer and smashing the thumbs up button!

Happy POWER splunking!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎10-05-2021 01:21 PM

Make sure you rotate auth tokens for that account or restart splunk on that host.  You have the whole token shown in the image.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...