Solved: Re: Is it possible to run a curl command on a dbxq...

ssharm02 · ‎10-09-2019

I am working with Splunk's rest API. I have to make a post request to Splunk and get some data from a dbxquery. I tried using the following curl command but got an error stating dbxquery is an unknown search command.

curl -H "Authorization: Basic cHp2NjBzcGx1bms6U3BsdW5rMTIz" -k https://se138628.devmaple.devfg.rbc.com:8089/services/search/jobs -d search="| dbxquery query%22select%20count(distinct%20id)..." -d output_mode=json -d id=test_search_2 -d adhoc_search_level=fast -d earliest_time=-2h -d max_count=10

I was wondering if it is possible to make a curl command with dbx searches and return the json data.

Regards.

vasanthmss · ‎10-09-2019

Hi ssharm01,

You could use CURL to run DBX Query.
Note : Make sure the User (in the authentication token) have access to run the dbx query.

Here are the information about the end point. services/search/jobs

GET :Get details of all current searches.
POST: Start a new search and return the search ID ( <sid>)

Above CURL call will create a job and return the Job ID (SID). using the job id, you should make another call to search/jobs/{search_id}/results to get results.

REST Call 1:

curl -H 'Authorization: Basic auth token' -k https://localhost:8089/services/search/jobs  -d search=" | dbxquery query=\"SELECT count(*) FROM db.table\" connection=\"connection\"" -d output_mode=json

Rest Call 2:

curl -H 'Authorization: Basic auth token' -k 'https://localhost:8089/services/search/jobs/`<SID>`/results' --get -d output_mode=json

Read this docs for more info: https://docs.splunk.com/Documentation/Splunk/7.3.1/RESTREF/RESTsearch

Hope this helps you

Cheers!!!

V

View solution in original post

vasanthmss · ‎10-09-2019

Hi ssharm01,

You could use CURL to run DBX Query.
Note : Make sure the User (in the authentication token) have access to run the dbx query.

Here are the information about the end point. services/search/jobs

GET :Get details of all current searches.
POST: Start a new search and return the search ID ( <sid>)

Above CURL call will create a job and return the Job ID (SID). using the job id, you should make another call to search/jobs/{search_id}/results to get results.

REST Call 1:

curl -H 'Authorization: Basic auth token' -k https://localhost:8089/services/search/jobs  -d search=" | dbxquery query=\"SELECT count(*) FROM db.table\" connection=\"connection\"" -d output_mode=json

Rest Call 2:

curl -H 'Authorization: Basic auth token' -k 'https://localhost:8089/services/search/jobs/`<SID>`/results' --get -d output_mode=json

Read this docs for more info: https://docs.splunk.com/Documentation/Splunk/7.3.1/RESTREF/RESTsearch

Hope this helps you

Cheers!!!

V

tmuth_splunk · ‎04-09-2021

I believe commands that start with a pipe in the UI have an implied

search | ...

in front of the command. Try changing your search parameter from:

search=" | dbxquery query=\"SELECT count(*) FROM db.table\"

to

search="search | dbxquery query=\"SELECT count(*) FROM db.table\"

ssharm02 · ‎10-10-2019

Hey Vasanthmss, I tried what you suggested and I am still getting the same error. Type Fatal, Unknown search command 'dbxquery.'

ssharm02 · ‎10-25-2019

Your suggestion worked for me. I did have to add two escape backslashes on the SQL queries though (node.js environment)

vasanthmss · ‎10-15-2019

Are you able to run the search in web ui with the same user ?

V

ssharm02 · ‎10-16-2019

Hi Vasanthmss,

This error doesn't seem to be related to user privileges, since the cmd console is saying the dbxquery is an unknown search command.

Is it possible to run a curl command on a dbxquery?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)