Getting Data In

Problems using the REST API to search

merritsa
Path Finder

Hello,

I have several questions/issues with the Splunk API, so I'll try to keep this short and concise.

First - does splunk offer a WSDL? That would really solve all this for me. If not, then here's my next question of many:

What's causing this error?

Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the left hand side./s:item

I get that when I attempt to call the Splunk API with an HP OO HTTP Client GET operation.

I have ideas for workarounds (including using WMI to run splunk CLI search commands and getting results) but they have their own issues. I'd like to tackle this one first.

Thanks in advance.

Tags (1)
1 Solution

hexx
Splunk Employee
Splunk Employee

I would suggest to modify the "search" parameter in your POST request to :

search=search cdp * | head 10

...instead of :

search=cdp * | head 10

...as specified in the REST API reference for the search/jobs endpoint:

Name    Type    Required    Default     Description
search  String  ✓                     The search language string to execute, taking results from the local and remote servers.

Examples:
    "search *" 
    "search * | outputcsv" 

(...)

The search string for the search parameter must be prefixed with "search." Thus, it is in the form:

search search_string

(...)

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs \
    --data-urlencode search="search index=_internal source=*/metrics.log" \
    -d id=mysearch_02151949 \
    -d max_count=50000 \
    -d status_buckets=300</code>

The error you are seeing is shown because your search string is the equivalent of typing "=cdp * | head 10" in the Splunkweb search bar, which would indeed have a missing term on the left side of an "=" operand.

This is because the Splunkweb search bar silently appends the search terms you provide to the search commmand, which results in a separate "splunk search" process.

If you compare a search job entry from a Splunkweb ad-hoc search @ https://localhost:8089/services/search/jobs/ with the one generated by your search, you'll see the difference.

Essentially, you'll want to modify your POST request so that the name of the job object you create @ https://localhost:8089/services/search/jobs/ is "search cdp * | head 10" and not "search=cdp * | head 10".

View solution in original post

hexx
Splunk Employee
Splunk Employee

I would suggest to modify the "search" parameter in your POST request to :

search=search cdp * | head 10

...instead of :

search=cdp * | head 10

...as specified in the REST API reference for the search/jobs endpoint:

Name    Type    Required    Default     Description
search  String  ✓                     The search language string to execute, taking results from the local and remote servers.

Examples:
    "search *" 
    "search * | outputcsv" 

(...)

The search string for the search parameter must be prefixed with "search." Thus, it is in the form:

search search_string

(...)

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs \
    --data-urlencode search="search index=_internal source=*/metrics.log" \
    -d id=mysearch_02151949 \
    -d max_count=50000 \
    -d status_buckets=300</code>

The error you are seeing is shown because your search string is the equivalent of typing "=cdp * | head 10" in the Splunkweb search bar, which would indeed have a missing term on the left side of an "=" operand.

This is because the Splunkweb search bar silently appends the search terms you provide to the search commmand, which results in a separate "splunk search" process.

If you compare a search job entry from a Splunkweb ad-hoc search @ https://localhost:8089/services/search/jobs/ with the one generated by your search, you'll see the difference.

Essentially, you'll want to modify your POST request so that the name of the job object you create @ https://localhost:8089/services/search/jobs/ is "search cdp * | head 10" and not "search=cdp * | head 10".

hexx
Splunk Employee
Splunk Employee

You need to pass the "earliest_time" and "latest_time" parameters in your POST request to do so, just like you did for "search". You can find the specifications of these parameters in the "Request" table of the REST API reference documentation I linked earlier.

merritsa
Path Finder

Thanks, this got me a lot closer. I revised the command to instead be search cdp * | head 10,output_mode=xml, since the command "search" seems to be accounted for elsewhere in the post operation input.

Though I still don't seem to have results. Just a lack of an error message. In looking through it, it seems this might be why:

1969-12-31T16:00:00.000-08:00/s:key

I'll try to figure out how to denote a proper search time.

hexx
Splunk Employee
Splunk Employee

@merritsa: Thank you for accepting my answer. Did my instructions resolve your problem?

0 Karma

merritsa
Path Finder

Exactly. Splunk never returns an error on the search itself when I post it.

I'll play with it some more and report back. Thanks.

0 Karma

jensihnow
Path Finder

You created a search job and got a jobid. But if you are going to get the results you got the splunk error. That looks like your search is not send correct to splunk by the request. At http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT is a nice tutorial with some examples:
curl -k -u admin:changeme -d 'search="search error"' https://localhost:8089/servicesNS/admin/search/search/jobs

Maybe the quoting/encoding of your request is wrong.

0 Karma

Damien_Dallimor
Ultra Champion

Not a WSDL , but an endpoint reference can be found here :

http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTlist

merritsa
Path Finder

So based on that reference page, as far as I can tell, it's formatted correctly. What's the next step to ts this?

merritsa
Path Finder

Thanks, I'll check it out.

0 Karma

merritsa
Path Finder

So then I run an HTTP Client GET to get those results, at which point I get the error I originally posted - Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the left hand side./s:item.

It's down in the middle of all the xml output I get as a reply.

0 Karma

merritsa
Path Finder

Of course, my apologies 🙂 I'm on a conference call and replying to both IM and email too...I'm a terrible multi-tasker.

Here you go...

Post from the HTTP Client POST operation in OO:

https://<splunk_server/services/search/jobs/

search=cdp * | head 10,output_mode=xml

inputValueSet
search=cdp * | head 10,output_mode=xml

inputNameList
search,output

delimeter
,

This returns success and gives me what looks to be an epoch time as a result. I've read that this is the name of the splunk search results (in this case, 1327527878.25639.

0 Karma

jensihnow
Path Finder

Maybe it would help if you post your search string to check the syntax. 😉

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...