Reporting

What are Splunk's REST API capabilities around use for report generation?

Path Finder

Hi

I'm trying to understand whether using REST APIs , can I -

  1. Execute searches on raw index, data models and summaries ?
  2. Execute searches as user1 (who has assigned role of role1) such that the results are returned per security/access model
  3. Get the results without limit (e.g. in some aspects of Splunk, I've read about not being able to return more than n number of records)...

My goal is -

a. Use a programming language wrapper using programming language wrapper and REST API
b. manipulate/summarize the data in required format
c. use external charting library
d. generate the reports/visualizations
e. schedule this script and run as various user(s) to get relevant data

Any pointers would be great.

thanks, ronak

Tags (4)
0 Karma

Path Finder

Hi Martin

Below is the script that got from the link and associated result ..made it work for my environment..

I was expecting to see 10 rows (as I see when I execute the same thru Search bar in browser).

Am I doing something wrong here?

thanks, ronak
---------------------- result --------------------

Ronaks-MacBook-Air:bin root# python rb9.py
search index=* | head 10
({'status': '201', 'content-length': '90', 'x-content-type-options': 'nosniff', 'expires': 'Thu, 26 Oct 1978 00:00:00 GMT', 'vary': 'Authorization', 'server': 'Splunkd', 'connection': 'Close', 'location': '/services/search/jobs/1421682152.110', 'cache-control': 'no-store, no-cache, must-revalidate, max-age=0', 'date': 'Mon, 19 Jan 2015 15:42:32 GMT', 'x-frame-options': 'SAMEORIGIN', 'content-type': 'text/xml; charset=UTF-8'}, '\n\n 1421682152.110\n\n')

---------------------- script --------------------

!/usr/bin/python -u

import urllib
import httplib2
from xml.dom import minidom

baseurl = 'https://localhost:8089'
userName = 'admin'
password = 'admin'

searchQuery = 'index=* | head 10'

Authenticate with server.

#### Disable SSL cert validation. Splunk certs are self-signed.

serverContent = httplib2.Http(disablesslcertificate_validation=True).request(baseurl + '/services/auth/login',
'POST', headers={}, body=urllib.urlencode({'username':userName, 'password':password}))[1]

sessionKey = minidom.parseString(serverContent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue

check if the query has the search operator

if not searchQuery.startswith('search'):
searchQuery = 'search ' + searchQuery

print searchQuery

Run the search.

Again, disable SSL cert validation.

print httplib2.Http(disablesslcertificate_validation=True).request(baseurl + '/services/search/jobs','POST',

headers={'Authorization': 'Splunk %s' % sessionKey},body=urllib.urlencode({'search': searchQuery}))

0 Karma

Community Manager
Community Manager

Hi @ronak

Please be sure that when responding to someone's answer from here on out, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your response in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation.

I can't convert your current "answer" to a comment under martin_mueller's answer because of the character count being too large. If your response is hitting a character count limit, just be sure to break it up into multiple comments. Thanks and happy Splunking!

Patrick

0 Karma

SplunkTrust
SplunkTrust

Here's a tutorial on how to run searches using the REST API: http://docs.splunk.com/Documentation/Splunk/6.2.1/RESTTUT/RESTsearches
Those searches will be run as whatever user you used to log in, respecting the user's namespace.

Do consider using one of the Splunk SDKs at http://dev.splunk.com/view/sdks/SP-CAAADP7 instead of calling the REST API yourself, should save you a lot of work on standard tasks such as running searches and getting the results.

0 Karma

SplunkTrust
SplunkTrust

The response you received points you to the job that has been created for your search (jobid 1421682152.110). You can query the job as to whether it has finished, whether there's a preview already available, what the eventual search results are, and so on.

0 Karma