Getting Data In

Is it possible to run a curl command on a dbxquery?

ssharm02
Explorer

I am working with Splunk's rest API. I have to make a post request to Splunk and get some data from a dbxquery. I tried using the following curl command but got an error stating dbxquery is an unknown search command.

curl -H "Authorization: Basic cHp2NjBzcGx1bms6U3BsdW5rMTIz" -k https://se138628.devmaple.devfg.rbc.com:8089/services/search/jobs -d search="| dbxquery query%22select%20count(distinct%20id)..." -d output_mode=json -d id=test_search_2 -d adhoc_search_level=fast -d earliest_time=-2h -d max_count=10

I was wondering if it is possible to make a curl command with dbx searches and return the json data.

Regards.

0 Karma
1 Solution

vasanthmss
Motivator

Hi ssharm01,

You could use CURL to run DBX Query.
Note : Make sure the User (in the authentication token) have access to run the dbx query.

Here are the information about the end point. services/search/jobs

GET :Get details of all current searches.
POST: Start a new search and return the search ID ( <sid>)

Above CURL call will create a job and return the Job ID (SID). using the job id, you should make another call to search/jobs/{search_id}/results to get results.

REST Call 1:

curl -H 'Authorization: Basic auth token' -k https://localhost:8089/services/search/jobs  -d search=" | dbxquery query=\"SELECT count(*) FROM db.table\" connection=\"connection\"" -d output_mode=json 

Rest Call 2:

curl -H 'Authorization: Basic auth token' -k 'https://localhost:8089/services/search/jobs/`<SID>`/results' --get -d output_mode=json 

Read this docs for more info: https://docs.splunk.com/Documentation/Splunk/7.3.1/RESTREF/RESTsearch

Hope this helps you

Cheers!!!

View solution in original post

vasanthmss
Motivator

Hi ssharm01,

You could use CURL to run DBX Query.
Note : Make sure the User (in the authentication token) have access to run the dbx query.

Here are the information about the end point. services/search/jobs

GET :Get details of all current searches.
POST: Start a new search and return the search ID ( <sid>)

Above CURL call will create a job and return the Job ID (SID). using the job id, you should make another call to search/jobs/{search_id}/results to get results.

REST Call 1:

curl -H 'Authorization: Basic auth token' -k https://localhost:8089/services/search/jobs  -d search=" | dbxquery query=\"SELECT count(*) FROM db.table\" connection=\"connection\"" -d output_mode=json 

Rest Call 2:

curl -H 'Authorization: Basic auth token' -k 'https://localhost:8089/services/search/jobs/`<SID>`/results' --get -d output_mode=json 

Read this docs for more info: https://docs.splunk.com/Documentation/Splunk/7.3.1/RESTREF/RESTsearch

Hope this helps you

Cheers!!!

View solution in original post

tmuth_splunk
Splunk Employee
Splunk Employee

I believe commands that start with a pipe in the UI have an implied 

 

search | ...

 

in front of the command. Try changing your search parameter from: 

 

search=" | dbxquery query=\"SELECT count(*) FROM db.table\"

 

to

 

search="search | dbxquery query=\"SELECT count(*) FROM db.table\"

 

Tags (1)
0 Karma

ssharm02
Explorer

Hey Vasanthmss, I tried what you suggested and I am still getting the same error. Type Fatal, Unknown search command 'dbxquery.'

0 Karma

ssharm02
Explorer

Your suggestion worked for me. I did have to add two escape backslashes on the SQL queries though (node.js environment)

0 Karma

vasanthmss
Motivator

Are you able to run the search in web ui with the same user ?

0 Karma

ssharm02
Explorer

Hi Vasanthmss,

This error doesn't seem to be related to user privileges, since the cmd console is saying the dbxquery is an unknown search command.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!