Other Usage

How can I create a search job using the REST API?

ww9rivers
Contributor

Following the documentation here:
https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#Create_a_search_job

I expect that a successful REST API call to endpoint "/services/search/jobs" would return a single job ID as the document shows.

However, in my testing, when the call returns with a status of 200 (success), the response data contains an object, which contains 6 keys: Object.keys(jobId) = (6) ['links', 'origin', 'updated', 'generator', 'entry', 'paging']

where, jobId.entry is an array of hundreds of search jobs -- basically the call to create a search job returned a list of all the jobs in the search head.

The code (JavaScript) is in this public repository:
https://github.com/ww9rivers/splunk-rest-search

Am I missing anything? Thank you for your insights!

Labels (2)
Tags (2)
0 Karma
1 Solution

ww9rivers
Contributor

Got this figured out! The JS version sent the `body` part wrong: It is not supposed to be JSON encoded but HTTP query string encoded.

The working version is here in GitHub: https://gist.github.com/ww9rivers/dc3fd9ba8d2817b9fc986aa9457a2b61

View solution in original post

ww9rivers
Contributor

There is something missing in my NodeJS code, it seems.

This simple Python3 test works (in creating a search job and returning an sid):

 

import os
import requests

# Set up the session with our adapter
SEARCH_ENDPOINT = "https://"+os.environ['SPLUNK_HOST']+":8089/services/search/jobs"
headers = {
    'Authorization': 'Bearer '+os.environ['SPLUNK_TOKEN'],
    "Accept": "application/json"
}
params = {
    "search": "inputcsv search-output.csv",
    "output_mode": "json"
}

response = requests.post(SEARCH_ENDPOINT, data=params, headers=headers, verify=True)
print(response.text)

 

But this NodeJS code does not:

 

const SEARCH_ENDPOINT = `https://${process.env.SPLUNK_HOST}:8089/services/search/jobs`;
const data = {
	search: "inputcsv search-output.csv",
	output_mode: "json"
};
const options = {
	method: "POST",
	mode: "cors",
	cache: "no-cache",
	credentials: "same-origin",
	headers: {
		Authorization: `Bearer ${process.env.SPLUNK_TOKEN}`,
		Accept: "application/json"
	},
	redirect: "follow",
	referrerPolicy: "no-referrer",
	body: JSON.stringify(data),
};

let response = await fetch(SEARCH_ENDPOINT, options);
console.log(response.status);
console.log(response.body);
console.log(await response.json());

 

With the same SPLUNK_HOST and SPLUNK_TOKEN values, the Python code produces an output like this:

 

{"sid":"1691684765.268000"}

 

But the NodeJS example returns an XML document.

Any thoughts are much appreciated!

Tags (1)
0 Karma

ww9rivers
Contributor

Got this figured out! The JS version sent the `body` part wrong: It is not supposed to be JSON encoded but HTTP query string encoded.

The working version is here in GitHub: https://gist.github.com/ww9rivers/dc3fd9ba8d2817b9fc986aa9457a2b61

isoutamo
SplunkTrust
SplunkTrust

Hi

I suppose that there is some misunderstanding to use /services vs. /servicesNS endpoints? Maybe that explain how to use those? https://community.splunk.com/t5/Splunk-Search/Why-am-I-receiving-this-Error-while-using-the-rest-in-...

r. Ismo

0 Karma

ww9rivers
Contributor

No. Actually, in the answer that you linked, you clearly used "/services/search/jobs/" to create the search:

 

curl -ku <user:pass> https://localhost:8089/services/search/jobs/ -d search=. . .

 

In my case, I am trying to use the same API endpoint to create a search. My search command is not necessarily a "|rest" , rather, it is something like "| inputcsv <some-results>.csv" for most my use cases.

Thank you for the thoughts.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...