Getting Data In

Is it possible to run a curl command on a dbxquery?

ssharm02
Explorer

I am working with Splunk's rest API. I have to make a post request to Splunk and get some data from a dbxquery. I tried using the following curl command but got an error stating dbxquery is an unknown search command.

curl -H "Authorization: Basic cHp2NjBzcGx1bms6U3BsdW5rMTIz" -k https://se138628.devmaple.devfg.rbc.com:8089/services/search/jobs -d search="| dbxquery query%22select%20count(distinct%20id)..." -d output_mode=json -d id=test_search_2 -d adhoc_search_level=fast -d earliest_time=-2h -d max_count=10

I was wondering if it is possible to make a curl command with dbx searches and return the json data.

Regards.

0 Karma
1 Solution

vasanthmss
Motivator

Hi ssharm01,

You could use CURL to run DBX Query.
Note : Make sure the User (in the authentication token) have access to run the dbx query.

Here are the information about the end point. services/search/jobs

GET :Get details of all current searches.
POST: Start a new search and return the search ID ( <sid>)

Above CURL call will create a job and return the Job ID (SID). using the job id, you should make another call to search/jobs/{search_id}/results to get results.

REST Call 1:

curl -H 'Authorization: Basic auth token' -k https://localhost:8089/services/search/jobs  -d search=" | dbxquery query=\"SELECT count(*) FROM db.table\" connection=\"connection\"" -d output_mode=json 

Rest Call 2:

curl -H 'Authorization: Basic auth token' -k 'https://localhost:8089/services/search/jobs/`<SID>`/results' --get -d output_mode=json 

Read this docs for more info: https://docs.splunk.com/Documentation/Splunk/7.3.1/RESTREF/RESTsearch

Hope this helps you

Cheers!!!

V

View solution in original post

vasanthmss
Motivator

Hi ssharm01,

You could use CURL to run DBX Query.
Note : Make sure the User (in the authentication token) have access to run the dbx query.

Here are the information about the end point. services/search/jobs

GET :Get details of all current searches.
POST: Start a new search and return the search ID ( <sid>)

Above CURL call will create a job and return the Job ID (SID). using the job id, you should make another call to search/jobs/{search_id}/results to get results.

REST Call 1:

curl -H 'Authorization: Basic auth token' -k https://localhost:8089/services/search/jobs  -d search=" | dbxquery query=\"SELECT count(*) FROM db.table\" connection=\"connection\"" -d output_mode=json 

Rest Call 2:

curl -H 'Authorization: Basic auth token' -k 'https://localhost:8089/services/search/jobs/`<SID>`/results' --get -d output_mode=json 

Read this docs for more info: https://docs.splunk.com/Documentation/Splunk/7.3.1/RESTREF/RESTsearch

Hope this helps you

Cheers!!!

V

tmuth_splunk
Splunk Employee
Splunk Employee

I believe commands that start with a pipe in the UI have an implied 

 

search | ...

 

in front of the command. Try changing your search parameter from: 

 

search=" | dbxquery query=\"SELECT count(*) FROM db.table\"

 

to

 

search="search | dbxquery query=\"SELECT count(*) FROM db.table\"

 

Tags (1)
0 Karma

ssharm02
Explorer

Hey Vasanthmss, I tried what you suggested and I am still getting the same error. Type Fatal, Unknown search command 'dbxquery.'

0 Karma

ssharm02
Explorer

Your suggestion worked for me. I did have to add two escape backslashes on the SQL queries though (node.js environment)

0 Karma

vasanthmss
Motivator

Are you able to run the search in web ui with the same user ?

V
0 Karma

ssharm02
Explorer

Hi Vasanthmss,

This error doesn't seem to be related to user privileges, since the cmd console is saying the dbxquery is an unknown search command.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...