Getting Data In

Why is the REST command not pulling KVStore collection data?

jsilverbears
Path Finder

I am trying to use the REST command to programmatically look up the data from collections that are chosen.

Supposedly, I can use

| rest /servicesNS/{owner}/{app}/storage/collections/data/{collection}

and get the data I need but it keeps returning 0 when I know there is data in there.

I thought it might be misreferenced but when I changed the url (to an incorrect one to test) it gave me an error. I also thought it might be an issue between one app and another (calling the data from one app by another) but I don't see any collection level permissions and the lookups that are associated are all open with their permissions. Lastly, I thought it might be the user but the owner is 'nobody'. I am logged in using the admin user with 'nobody' in the url. The data put in there was from the admin user so I put that user in the url and still nothing.

Am I missing something here?

Tags (3)
1 Solution

jsilverbears
Path Finder

So as I am not able to wait for an actual answer to my question, I have a workaround if anyone is having the same issue and can actually use my solution.

To be able to access any collection, since the REST API doesn't work for getting the actual data from the collection, you will need to get the lookup for the collection in question. For me, my collections only have 1 lookup each so it was a bit easier.

If you need the app information, you can use:
| rest /services/apps/local

If you want the collection information:
| rest /servicesNS/nobody/$app$/storage/collections/config

If you want the lookups for any collection:
| rest /servicesNS/nobody/$app$/data/transforms/lookups/ | where collection="$collection$" | fields title
(The title column has the name to use for the next bit.)

Then, if you want the data itself:
| inputlookup $lookup$ | eval KeyID = _key
(For some reason, if you want the _key to actually show up in a table, you need to reassign the _key to something else. Go figure.)

Anyway, I hope this helps someone. I know it would have been nice to have for me. 😉

View solution in original post

creiglow
Explorer

Did you ever get a real answer as to why no data was returned?  I am having the same issue.

0 Karma

jsilverbears
Path Finder

So as I am not able to wait for an actual answer to my question, I have a workaround if anyone is having the same issue and can actually use my solution.

To be able to access any collection, since the REST API doesn't work for getting the actual data from the collection, you will need to get the lookup for the collection in question. For me, my collections only have 1 lookup each so it was a bit easier.

If you need the app information, you can use:
| rest /services/apps/local

If you want the collection information:
| rest /servicesNS/nobody/$app$/storage/collections/config

If you want the lookups for any collection:
| rest /servicesNS/nobody/$app$/data/transforms/lookups/ | where collection="$collection$" | fields title
(The title column has the name to use for the next bit.)

Then, if you want the data itself:
| inputlookup $lookup$ | eval KeyID = _key
(For some reason, if you want the _key to actually show up in a table, you need to reassign the _key to something else. Go figure.)

Anyway, I hope this helps someone. I know it would have been nice to have for me. 😉

CodyQ
Explorer

Your feedback was extremely helpful, but for my environment, I had to add utilize the following query to produce results:

| rest splunk_server=local count=0 /servicesNS/nobody/$app$/data/transforms/lookups/
| where collection="$collection$"
| fields title

Just wanted to pass that along just in case someone else might have the same issue.

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...