Solved: REST API - Creating a Search

kvmadan · ‎02-03-2020

As mentioned in the documentation i am trying to create a search but I'm not getting the expected response.
https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTTUT/RESTsearches#Tips_on_accessing_searches

I'm getting below response.

<title>jobs</title>
<id>https://xyz:8089/services/search/jobs</id>
<updated>2020-02-03T06:11:04-08:00</updated>
<generator build="7af3758d0d5e" version="7.3.3"/>
<author>
    <name>Splunk</name>
</author>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>0</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>

As per the documentation, i am suppose to receive the sid.
Can someone help, what is going wrong?

jkat54 · ‎02-03-2020

Are you GETing or POSTing?

View solution in original post

niketn · ‎02-03-2020

@kvmadan can you try the following REST API?

https://xyz:8089/servicesNS/-/-/search/jobs

instead of https://xyz:8089/services/search/jobs and confirm?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kvmadan · ‎02-03-2020

It doesnt work for me.

jkat54 · ‎02-03-2020

Are you GETing or POSTing?

jkat54 · ‎02-03-2020

curl -XPOST -k https://..

kvmadan · ‎02-03-2020

Thank you. I got it now, i think the search should start with search command.
curl -XPOST -k https://splunk.xyz.net:8089/services/search/jobs -d search="search host=datacenter* AND sourcetype=absd:log "IzV2xyzSubmissionDebug" "absd_time" index=datacenter"

kvmadan · ‎02-04-2020

Another followup question.
I'm able to submit the job but the results are empty once the job's dispatchstate is DONE.
the same search query, when i execute in the Splunk UI, it returns the results.
I also treed limiting the results to last 24h by appending earliest=-24h

Is there anything wrong i am doing?

jkat54 · ‎02-04-2020

Is your new problem related to knowledge object sharing/permissions and the API namespace you're using?

For example, if your search works in "searching and reporting" app (aka "search") when ran as "username" but doesn't work in "launcher" app... or as another user in search app...

You would use curl.... localhost:port/servicesNS/username/search

If it only works for admin:

/servicesNS/admin/search

kvmadan · ‎02-04-2020

No, the search query can work in any app with admin/my user.

jkat54 · ‎02-04-2020

I converted my comments to an answer, please accept if it helped.

somesoni2 · ‎02-03-2020

Did you specify the search as show in that documentation page?

kvmadan · ‎02-03-2020

I'm sending the request through postman
below is what i am sending. .
https://splunk.xyx.net:8089/services/search/jobs?search=sourcetype=sp:wf_log "IAV2testSubmissionDebug" "xyz_time" index=datacenter

and above is the response i got with 200OK.

jkat54 · ‎02-03-2020

Please share your curl command.

REST API - Creating a Search

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...