Getting Data In

Is it possible to run a curl command on a dbxquery?

ssharm02
Explorer

I am working with Splunk's rest API. I have to make a post request to Splunk and get some data from a dbxquery. I tried using the following curl command but got an error stating dbxquery is an unknown search command.

curl -H "Authorization: Basic cHp2NjBzcGx1bms6U3BsdW5rMTIz" -k https://se138628.devmaple.devfg.rbc.com:8089/services/search/jobs -d search="| dbxquery query%22select%20count(distinct%20id)..." -d output_mode=json -d id=test_search_2 -d adhoc_search_level=fast -d earliest_time=-2h -d max_count=10

I was wondering if it is possible to make a curl command with dbx searches and return the json data.

Regards.

0 Karma
1 Solution

vasanthmss
Motivator

Hi ssharm01,

You could use CURL to run DBX Query.
Note : Make sure the User (in the authentication token) have access to run the dbx query.

Here are the information about the end point. services/search/jobs

GET :Get details of all current searches.
POST: Start a new search and return the search ID ( <sid>)

Above CURL call will create a job and return the Job ID (SID). using the job id, you should make another call to search/jobs/{search_id}/results to get results.

REST Call 1:

curl -H 'Authorization: Basic auth token' -k https://localhost:8089/services/search/jobs  -d search=" | dbxquery query=\"SELECT count(*) FROM db.table\" connection=\"connection\"" -d output_mode=json 

Rest Call 2:

curl -H 'Authorization: Basic auth token' -k 'https://localhost:8089/services/search/jobs/`<SID>`/results' --get -d output_mode=json 

Read this docs for more info: https://docs.splunk.com/Documentation/Splunk/7.3.1/RESTREF/RESTsearch

Hope this helps you

Cheers!!!

V

View solution in original post

vasanthmss
Motivator

Hi ssharm01,

You could use CURL to run DBX Query.
Note : Make sure the User (in the authentication token) have access to run the dbx query.

Here are the information about the end point. services/search/jobs

GET :Get details of all current searches.
POST: Start a new search and return the search ID ( <sid>)

Above CURL call will create a job and return the Job ID (SID). using the job id, you should make another call to search/jobs/{search_id}/results to get results.

REST Call 1:

curl -H 'Authorization: Basic auth token' -k https://localhost:8089/services/search/jobs  -d search=" | dbxquery query=\"SELECT count(*) FROM db.table\" connection=\"connection\"" -d output_mode=json 

Rest Call 2:

curl -H 'Authorization: Basic auth token' -k 'https://localhost:8089/services/search/jobs/`<SID>`/results' --get -d output_mode=json 

Read this docs for more info: https://docs.splunk.com/Documentation/Splunk/7.3.1/RESTREF/RESTsearch

Hope this helps you

Cheers!!!

V

tmuth_splunk
Splunk Employee
Splunk Employee

I believe commands that start with a pipe in the UI have an implied 

 

search | ...

 

in front of the command. Try changing your search parameter from: 

 

search=" | dbxquery query=\"SELECT count(*) FROM db.table\"

 

to

 

search="search | dbxquery query=\"SELECT count(*) FROM db.table\"

 

Tags (1)
0 Karma

ssharm02
Explorer

Hey Vasanthmss, I tried what you suggested and I am still getting the same error. Type Fatal, Unknown search command 'dbxquery.'

0 Karma

ssharm02
Explorer

Your suggestion worked for me. I did have to add two escape backslashes on the SQL queries though (node.js environment)

0 Karma

vasanthmss
Motivator

Are you able to run the search in web ui with the same user ?

V
0 Karma

ssharm02
Explorer

Hi Vasanthmss,

This error doesn't seem to be related to user privileges, since the cmd console is saying the dbxquery is an unknown search command.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...