Hello,
I have several questions/issues with the Splunk API, so I'll try to keep this short and concise.
First - does splunk offer a WSDL? That would really solve all this for me. If not, then here's my next question of many:
What's causing this error?
I get that when I attempt to call the Splunk API with an HP OO HTTP Client GET operation.
I have ideas for workarounds (including using WMI to run splunk CLI search commands and getting results) but they have their own issues. I'd like to tackle this one first.
Thanks in advance.
I would suggest to modify the "search" parameter in your POST request to :
search=search cdp * | head 10
...instead of :
search=cdp * | head 10
...as specified in the REST API reference for the search/jobs endpoint:
Name Type Required Default Description
search String ✓ The search language string to execute, taking results from the local and remote servers.
Examples:
"search *"
"search * | outputcsv"
(...)
The search string for the search parameter must be prefixed with "search." Thus, it is in the form:
search search_string
(...)
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs \
--data-urlencode search="search index=_internal source=*/metrics.log" \
-d id=mysearch_02151949 \
-d max_count=50000 \
-d status_buckets=300</code>
The error you are seeing is shown because your search string is the equivalent of typing "=cdp * | head 10
" in the Splunkweb search bar, which would indeed have a missing term on the left side of an "=" operand.
This is because the Splunkweb search bar silently appends the search terms you provide to the search commmand, which results in a separate "splunk search" process.
If you compare a search job entry from a Splunkweb ad-hoc search @ https://localhost:8089/services/search/jobs/
with the one generated by your search, you'll see the difference.
Essentially, you'll want to modify your POST request so that the name of the job object you create @ https://localhost:8089/services/search/jobs/
is "search cdp * | head 10
" and not "search=cdp * | head 10
".
I would suggest to modify the "search" parameter in your POST request to :
search=search cdp * | head 10
...instead of :
search=cdp * | head 10
...as specified in the REST API reference for the search/jobs endpoint:
Name Type Required Default Description
search String ✓ The search language string to execute, taking results from the local and remote servers.
Examples:
"search *"
"search * | outputcsv"
(...)
The search string for the search parameter must be prefixed with "search." Thus, it is in the form:
search search_string
(...)
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs \
--data-urlencode search="search index=_internal source=*/metrics.log" \
-d id=mysearch_02151949 \
-d max_count=50000 \
-d status_buckets=300</code>
The error you are seeing is shown because your search string is the equivalent of typing "=cdp * | head 10
" in the Splunkweb search bar, which would indeed have a missing term on the left side of an "=" operand.
This is because the Splunkweb search bar silently appends the search terms you provide to the search commmand, which results in a separate "splunk search" process.
If you compare a search job entry from a Splunkweb ad-hoc search @ https://localhost:8089/services/search/jobs/
with the one generated by your search, you'll see the difference.
Essentially, you'll want to modify your POST request so that the name of the job object you create @ https://localhost:8089/services/search/jobs/
is "search cdp * | head 10
" and not "search=cdp * | head 10
".
You need to pass the "earliest_time" and "latest_time" parameters in your POST request to do so, just like you did for "search". You can find the specifications of these parameters in the "Request" table of the REST API reference documentation I linked earlier.
Thanks, this got me a lot closer. I revised the command to instead be search cdp * | head 10,output_mode=xml, since the command "search" seems to be accounted for elsewhere in the post operation input.
Though I still don't seem to have results. Just a lack of an error message. In looking through it, it seems this might be why:
I'll try to figure out how to denote a proper search time.
@merritsa: Thank you for accepting my answer. Did my instructions resolve your problem?
Exactly. Splunk never returns an error on the search itself when I post it.
I'll play with it some more and report back. Thanks.
You created a search job and got a jobid. But if you are going to get the results you got the splunk error. That looks like your search is not send correct to splunk by the request. At http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT is a nice tutorial with some examples:
curl -k -u admin:changeme -d 'search="search error"' https://localhost:8089/servicesNS/admin/search/search/jobs
Maybe the quoting/encoding of your request is wrong.
Not a WSDL , but an endpoint reference can be found here :
http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTlist
So based on that reference page, as far as I can tell, it's formatted correctly. What's the next step to ts this?
Thanks, I'll check it out.
So then I run an HTTP Client GET to get those results, at which point I get the error I originally posted -
It's down in the middle of all the xml output I get as a reply.
Of course, my apologies 🙂 I'm on a conference call and replying to both IM and email too...I'm a terrible multi-tasker.
Here you go...
Post from the HTTP Client POST operation in OO:
https://<splunk_server/services/search/jobs/
search=cdp * | head 10,output_mode=xml
inputValueSet
search=cdp * | head 10,output_mode=xml
inputNameList
search,output
delimeter
,
This returns success and gives me what looks to be an epoch time as a result. I've read that this is the name of the splunk search results (in this case, 1327527878.25639.
Maybe it would help if you post your search string to check the syntax. 😉