Getting Data In

Why is the REST command not pulling KVStore collection data?

jsilverbears
Path Finder

I am trying to use the REST command to programmatically look up the data from collections that are chosen.

Supposedly, I can use

| rest /servicesNS/{owner}/{app}/storage/collections/data/{collection}

and get the data I need but it keeps returning 0 when I know there is data in there.

I thought it might be misreferenced but when I changed the url (to an incorrect one to test) it gave me an error. I also thought it might be an issue between one app and another (calling the data from one app by another) but I don't see any collection level permissions and the lookups that are associated are all open with their permissions. Lastly, I thought it might be the user but the owner is 'nobody'. I am logged in using the admin user with 'nobody' in the url. The data put in there was from the admin user so I put that user in the url and still nothing.

Am I missing something here?

Tags (3)
1 Solution

jsilverbears
Path Finder

So as I am not able to wait for an actual answer to my question, I have a workaround if anyone is having the same issue and can actually use my solution.

To be able to access any collection, since the REST API doesn't work for getting the actual data from the collection, you will need to get the lookup for the collection in question. For me, my collections only have 1 lookup each so it was a bit easier.

If you need the app information, you can use:
| rest /services/apps/local

If you want the collection information:
| rest /servicesNS/nobody/$app$/storage/collections/config

If you want the lookups for any collection:
| rest /servicesNS/nobody/$app$/data/transforms/lookups/ | where collection="$collection$" | fields title
(The title column has the name to use for the next bit.)

Then, if you want the data itself:
| inputlookup $lookup$ | eval KeyID = _key
(For some reason, if you want the _key to actually show up in a table, you need to reassign the _key to something else. Go figure.)

Anyway, I hope this helps someone. I know it would have been nice to have for me. 😉

View solution in original post

creiglow
Explorer

Did you ever get a real answer as to why no data was returned?  I am having the same issue.

0 Karma

jsilverbears
Path Finder

So as I am not able to wait for an actual answer to my question, I have a workaround if anyone is having the same issue and can actually use my solution.

To be able to access any collection, since the REST API doesn't work for getting the actual data from the collection, you will need to get the lookup for the collection in question. For me, my collections only have 1 lookup each so it was a bit easier.

If you need the app information, you can use:
| rest /services/apps/local

If you want the collection information:
| rest /servicesNS/nobody/$app$/storage/collections/config

If you want the lookups for any collection:
| rest /servicesNS/nobody/$app$/data/transforms/lookups/ | where collection="$collection$" | fields title
(The title column has the name to use for the next bit.)

Then, if you want the data itself:
| inputlookup $lookup$ | eval KeyID = _key
(For some reason, if you want the _key to actually show up in a table, you need to reassign the _key to something else. Go figure.)

Anyway, I hope this helps someone. I know it would have been nice to have for me. 😉

CodyQ
Explorer

Your feedback was extremely helpful, but for my environment, I had to add utilize the following query to produce results:

| rest splunk_server=local count=0 /servicesNS/nobody/$app$/data/transforms/lookups/
| where collection="$collection$"
| fields title

Just wanted to pass that along just in case someone else might have the same issue.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...