Security

How to use @myFile.spl to query Splunk API?

victorsalazar
Explorer

Hello All

I need to send a request to Splunk API from a Linux server but the Curl is complaining because the search argument is too long (could be up to 500000 chars). my question is: how we can use @myFile.spl to query splunk api?

This is what I have done so far but no luck yet

 

  1. curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d search=`echo $myVar` 
    error  Argument list too long

  2. curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d  @query2.spl  (Format1 in query2.spl file--> "search= | search index=myIndex ...."    up to 500000 char)
    error {"messages":[{"type":"FATAL","text":"Empty search."}]}

  3. curl --noproxy '*' -k -H "Authorization: Splunk myToken" 
    https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d  @query2.spl  (Format2 in query2.spl file --> search= "| search index=myIndex ...."    up to 500000 char -- difference with 3 is quotes position)
    error {"messages":[{"type":"ERROR","text":"Error in 'SearchParser': Missing a search command before '\"'. Error at position '0' of search query '\"| search index...."

  4. curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d search=@query2.spl  
    (Format2 in query2.spl file --> "| search index=myIndex ...."    up to 500000 char -- difference with 3 is quotes position)
    error {"messages":[{"type":"ERROR","text":"Error in 'SearchParser': Missing a search command before '@'. Error at position '0' of search query '@query2.spl'.","help":""}]}
Labels (1)
0 Karma

victorsalazar
Explorer

Hello All

I was able to solve this issue, I was digging on cURL capabilities and the answer is cURL -K configFile.

Below is how it works:

First suppose you require to send an extremely long query to Splunk API from your app or script with your cURL command (SPL search command in my case 121852 chars)

1. curl command

curl -K query.spl --noproxy '*' -H "Authorization: Splunk myTOKEN" https://mySearchHEAD:8089/servicesNS/admin/search/search/jobs 

### --noproxy '*' it is optional and depends on your network setup

2. Your config file query.spl content and synaxis 

[someUser@algunServidor:~/myDirectorio]$ more query.spl

-d exec_mode=oneshot   ## this can be normal
-d output_mode=json       ## this can be xml or csv

-d "search=| search index=myIndex sourcetype=mySourcetype _raw=*somethingIamLooking for* field1=something1 field2=something2 .... fieldN=somethingN earliest=-1h latest=now"  

### really important to pay attention to the quotes in red above you need them to make it work. 

I hope this help someone 🙂

 

 

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...