Solved: How can I create a search job using the REST API?

ww9rivers · ‎07-20-2023

Following the documentation here:
https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#Create_a_search_job

I expect that a successful REST API call to endpoint "/services/search/jobs" would return a single job ID as the document shows.

However, in my testing, when the call returns with a status of 200 (success), the response data contains an object, which contains 6 keys: Object.keys(jobId) = (6) ['links', 'origin', 'updated', 'generator', 'entry', 'paging']

where, jobId.entry is an array of hundreds of search jobs -- basically the call to create a search job returned a list of all the jobs in the search head.

The code (JavaScript) is in this public repository:
https://github.com/ww9rivers/splunk-rest-search

Am I missing anything? Thank you for your insights!

ww9rivers · ‎08-20-2023

Got this figured out! The JS version sent the `body` part wrong: It is not supposed to be JSON encoded but HTTP query string encoded.

The working version is here in GitHub: https://gist.github.com/ww9rivers/dc3fd9ba8d2817b9fc986aa9457a2b61

View solution in original post

ww9rivers · ‎08-10-2023

There is something missing in my NodeJS code, it seems.

This simple Python3 test works (in creating a search job and returning an sid):

import os
import requests

# Set up the session with our adapter
SEARCH_ENDPOINT = "https://"+os.environ['SPLUNK_HOST']+":8089/services/search/jobs"
headers = {
    'Authorization': 'Bearer '+os.environ['SPLUNK_TOKEN'],
    "Accept": "application/json"
}
params = {
    "search": "inputcsv search-output.csv",
    "output_mode": "json"
}

response = requests.post(SEARCH_ENDPOINT, data=params, headers=headers, verify=True)
print(response.text)

But this NodeJS code does not:

const SEARCH_ENDPOINT = `https://${process.env.SPLUNK_HOST}:8089/services/search/jobs`;
const data = {
	search: "inputcsv search-output.csv",
	output_mode: "json"
};
const options = {
	method: "POST",
	mode: "cors",
	cache: "no-cache",
	credentials: "same-origin",
	headers: {
		Authorization: `Bearer ${process.env.SPLUNK_TOKEN}`,
		Accept: "application/json"
	},
	redirect: "follow",
	referrerPolicy: "no-referrer",
	body: JSON.stringify(data),
};

let response = await fetch(SEARCH_ENDPOINT, options);
console.log(response.status);
console.log(response.body);
console.log(await response.json());

With the same SPLUNK_HOST and SPLUNK_TOKEN values, the Python code produces an output like this:

{"sid":"1691684765.268000"}

But the NodeJS example returns an XML document.

Any thoughts are much appreciated!

ww9rivers · ‎08-20-2023

Got this figured out! The JS version sent the `body` part wrong: It is not supposed to be JSON encoded but HTTP query string encoded.

The working version is here in GitHub: https://gist.github.com/ww9rivers/dc3fd9ba8d2817b9fc986aa9457a2b61

isoutamo · ‎07-21-2023

Hi

I suppose that there is some misunderstanding to use /services vs. /servicesNS endpoints? Maybe that explain how to use those? https://community.splunk.com/t5/Splunk-Search/Why-am-I-receiving-this-Error-while-using-the-rest-in-...

r. Ismo

ww9rivers · ‎07-21-2023

No. Actually, in the answer that you linked, you clearly used "/services/search/jobs/" to create the search:

curl -ku <user:pass> https://localhost:8089/services/search/jobs/ -d search=. . .

In my case, I am trying to use the same API endpoint to create a search. My search command is not necessarily a "|rest" , rather, it is something like "| inputcsv <some-results>.csv" for most my use cases.

Thank you for the thoughts.

How can I create a search job using the REST API?

saved search

scheduled search

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?