Solved: Re: Creating a search job using the REST API

ww9rivers · ‎07-20-2023

Following the documentation here:
https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#Create_a_search_job

I expect that a successful REST API call to endpoint "/services/search/jobs" would return a single job ID as the document shows.

However, in my testing, when the call returns with a status of 200 (success), the response data contains an object, which contains 6 keys: Object.keys(jobId) = (6) ['links', 'origin', 'updated', 'generator', 'entry', 'paging']

where, jobId.entry is an array of hundreds of search jobs -- basically the call to create a search job returned a list of all the jobs in the search head.

The code (JavaScript) is in this public repository:
https://github.com/ww9rivers/splunk-rest-search

Am I missing anything? Thank you for your insights!

ww9rivers · ‎08-20-2023

Got this figured out! The JS version sent the `body` part wrong: It is not supposed to be JSON encoded but HTTP query string encoded.

The working version is here in GitHub: https://gist.github.com/ww9rivers/dc3fd9ba8d2817b9fc986aa9457a2b61

View solution in original post

ww9rivers · ‎08-10-2023

There is something missing in my NodeJS code, it seems.

This simple Python3 test works (in creating a search job and returning an sid):

import os
import requests

# Set up the session with our adapter
SEARCH_ENDPOINT = "https://"+os.environ['SPLUNK_HOST']+":8089/services/search/jobs"
headers = {
    'Authorization': 'Bearer '+os.environ['SPLUNK_TOKEN'],
    "Accept": "application/json"
}
params = {
    "search": "inputcsv search-output.csv",
    "output_mode": "json"
}

response = requests.post(SEARCH_ENDPOINT, data=params, headers=headers, verify=True)
print(response.text)

But this NodeJS code does not:

const SEARCH_ENDPOINT = `https://${process.env.SPLUNK_HOST}:8089/services/search/jobs`;
const data = {
	search: "inputcsv search-output.csv",
	output_mode: "json"
};
const options = {
	method: "POST",
	mode: "cors",
	cache: "no-cache",
	credentials: "same-origin",
	headers: {
		Authorization: `Bearer ${process.env.SPLUNK_TOKEN}`,
		Accept: "application/json"
	},
	redirect: "follow",
	referrerPolicy: "no-referrer",
	body: JSON.stringify(data),
};

let response = await fetch(SEARCH_ENDPOINT, options);
console.log(response.status);
console.log(response.body);
console.log(await response.json());

With the same SPLUNK_HOST and SPLUNK_TOKEN values, the Python code produces an output like this:

{"sid":"1691684765.268000"}

But the NodeJS example returns an XML document.

Any thoughts are much appreciated!

ww9rivers · ‎08-20-2023

Got this figured out! The JS version sent the `body` part wrong: It is not supposed to be JSON encoded but HTTP query string encoded.

The working version is here in GitHub: https://gist.github.com/ww9rivers/dc3fd9ba8d2817b9fc986aa9457a2b61

isoutamo · ‎07-21-2023

Hi

I suppose that there is some misunderstanding to use /services vs. /servicesNS endpoints? Maybe that explain how to use those? https://community.splunk.com/t5/Splunk-Search/Why-am-I-receiving-this-Error-while-using-the-rest-in-...

r. Ismo

ww9rivers · ‎07-21-2023

No. Actually, in the answer that you linked, you clearly used "/services/search/jobs/" to create the search:

curl -ku <user:pass> https://localhost:8089/services/search/jobs/ -d search=. . .

In my case, I am trying to use the same API endpoint to create a search. My search command is not necessarily a "|rest" , rather, it is something like "| inputcsv <some-results>.csv" for most my use cases.

Thank you for the thoughts.

How can I create a search job using the REST API?

saved search

scheduled search

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?