Getting Data In

How to make search using Splunk Rest API

neeldesai1992
Path Finder

I have following search query that I run on the Splunk search UI & It works fine:

index=cpaws source=PFT buildNumber=14 type=REQUEST | stats p98(wholeduration) as currentRunP98Duration| appendcols [search index=cpaws source=PFT buildNumber=13 type=REQUEST | stats p98(wholeduration) as previousRunP98Duration1] | appendcols [search index=cpaws source=PFT buildNumber=12 type=REQUEST | stats p98(wholeduration) as previousRunP98Duration2] |eval avgP98=(previousRunP98Duration1+previousRunP98Duration2)/2 | eval success=if(currentRunP98Duration>=avgP98*0.1,"Good","BAD")| table success

For printing out parameter "success", I was using the table command. Now I want to call the same query using the Splunk REST API and in return I want to get the success parameter value. How can I do that?

I went through the Splunk REST API Documentation but I couldn't/didn't find anything helpful. Please help me.

0 Karma
1 Solution

neeldesai1992
Path Finder
0 Karma

Damien_Dallimor
Ultra Champion

You have not described how you are attempting to use the REST API.

So I will just make this suggestion, try using one of the SDKs , such as the Python SDK.

There are plenty of examples of how to execute a search

0 Karma

Damien_Dallimor
Ultra Champion

Well in that case you can use the Splunk Java SDK from Groovy.

Here is an old Gist of mine that shows how to use the Java SDK from Groovy.

And here are examples of using the Java SDK to execute Searches.

0 Karma

neeldesai1992
Path Finder

I put down the following program:
import com.splunk.*;
public class ConnectToSplunk {
public static void main(String[] args) {

    // Create a map of arguments and add login parameters
    ServiceArgs loginArgs = new ServiceArgs();
    loginArgs.setUsername("admin");
    loginArgs.setPassword("changeme");
    loginArgs.setHost("localhost");
    loginArgs.setPort(8000);

    // Create a Service instance and log in with the argument map
    Service service = Service.connect(loginArgs);


    // A second way to create a new Service object and log in
    // Service service = new Service("localhost", 8089);
    // service.login("admin", "changeme");

    // A third way to create a new Service object and log in
    // Service service = new Service(loginArgs);
    // service.login();

    // Print installed apps to the console to verify login
    for (Application app : service.getApplications().values()) {
        System.out.println(app.getName());
    }
}

}

This gives me the following error
Exception in thread "main" java.lang.RuntimeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.splunk.HttpService.send(HttpService.java:409)
at com.splunk.Service.send(Service.java:1293)
at com.splunk.HttpService.post(HttpService.java:308)
at com.splunk.Service.login(Service.java:1122)
at com.splunk.Service.login(Service.java:1101)
at com.splunk.Service.connect(Service.java:187)
at ConnectToSplunk.main(ConnectToSplunk.java:13)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.Handshaker.activate(Handshaker.java:503)
at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1482)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1351)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.jav...
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at com.splunk.HttpService.send(HttpService.java:403)
... 6 more

0 Karma

neeldesai1992
Path Finder

To see any example do I need to connect splunk Enterprise Instance?

0 Karma

Damien_Dallimor
Ultra Champion

To see the example you click on the link I posted.

To try out the example , then obviously you need to connect to a Splunk Enterprise instance.Very simple to setup on your own local machine , https://www.splunk.com/en_us/download.html

0 Karma

neeldesai1992
Path Finder

But I think this will not help me. I have search query ready. I just want to make Splunk server call and execute this search query and get the result

0 Karma

Damien_Dallimor
Ultra Champion

What , reading the docs/examples provided won't help you ?

I've given you examples to follow , I suggest reading the docs and actually trying them. Have you attempted to try anything yet ?

The docs/examples I've linked to are very clear on how to the execute a Splunk search query via the REST API and get the result.

0 Karma

neeldesai1992
Path Finder

yeah let me try that out you are right.sorry and thanks

0 Karma

neeldesai1992
Path Finder

Sorry not by SDK. So Actually I want to write a groovy script which will be part of my post build action of jenkins job. Which will make request to splunk and will get the data and extract it. I am not sure which endPoint can help me out for this.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...