Other Usage

How can I create a search job using the REST API?

ww9rivers
Contributor

Following the documentation here:
https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#Create_a_search_job

I expect that a successful REST API call to endpoint "/services/search/jobs" would return a single job ID as the document shows.

However, in my testing, when the call returns with a status of 200 (success), the response data contains an object, which contains 6 keys: Object.keys(jobId) = (6) ['links', 'origin', 'updated', 'generator', 'entry', 'paging']

where, jobId.entry is an array of hundreds of search jobs -- basically the call to create a search job returned a list of all the jobs in the search head.

The code (JavaScript) is in this public repository:
https://github.com/ww9rivers/splunk-rest-search

Am I missing anything? Thank you for your insights!

Labels (2)
Tags (2)
0 Karma
1 Solution

ww9rivers
Contributor

Got this figured out! The JS version sent the `body` part wrong: It is not supposed to be JSON encoded but HTTP query string encoded.

The working version is here in GitHub: https://gist.github.com/ww9rivers/dc3fd9ba8d2817b9fc986aa9457a2b61

View solution in original post

ww9rivers
Contributor

There is something missing in my NodeJS code, it seems.

This simple Python3 test works (in creating a search job and returning an sid):

 

import os
import requests

# Set up the session with our adapter
SEARCH_ENDPOINT = "https://"+os.environ['SPLUNK_HOST']+":8089/services/search/jobs"
headers = {
    'Authorization': 'Bearer '+os.environ['SPLUNK_TOKEN'],
    "Accept": "application/json"
}
params = {
    "search": "inputcsv search-output.csv",
    "output_mode": "json"
}

response = requests.post(SEARCH_ENDPOINT, data=params, headers=headers, verify=True)
print(response.text)

 

But this NodeJS code does not:

 

const SEARCH_ENDPOINT = `https://${process.env.SPLUNK_HOST}:8089/services/search/jobs`;
const data = {
	search: "inputcsv search-output.csv",
	output_mode: "json"
};
const options = {
	method: "POST",
	mode: "cors",
	cache: "no-cache",
	credentials: "same-origin",
	headers: {
		Authorization: `Bearer ${process.env.SPLUNK_TOKEN}`,
		Accept: "application/json"
	},
	redirect: "follow",
	referrerPolicy: "no-referrer",
	body: JSON.stringify(data),
};

let response = await fetch(SEARCH_ENDPOINT, options);
console.log(response.status);
console.log(response.body);
console.log(await response.json());

 

With the same SPLUNK_HOST and SPLUNK_TOKEN values, the Python code produces an output like this:

 

{"sid":"1691684765.268000"}

 

But the NodeJS example returns an XML document.

Any thoughts are much appreciated!

Tags (1)
0 Karma

ww9rivers
Contributor

Got this figured out! The JS version sent the `body` part wrong: It is not supposed to be JSON encoded but HTTP query string encoded.

The working version is here in GitHub: https://gist.github.com/ww9rivers/dc3fd9ba8d2817b9fc986aa9457a2b61

isoutamo
SplunkTrust
SplunkTrust

Hi

I suppose that there is some misunderstanding to use /services vs. /servicesNS endpoints? Maybe that explain how to use those? https://community.splunk.com/t5/Splunk-Search/Why-am-I-receiving-this-Error-while-using-the-rest-in-...

r. Ismo

0 Karma

ww9rivers
Contributor

No. Actually, in the answer that you linked, you clearly used "/services/search/jobs/" to create the search:

 

curl -ku <user:pass> https://localhost:8089/services/search/jobs/ -d search=. . .

 

In my case, I am trying to use the same API endpoint to create a search. My search command is not necessarily a "|rest" , rather, it is something like "| inputcsv <some-results>.csv" for most my use cases.

Thank you for the thoughts.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...