- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- How to use @myFile.spl to query Splunk API?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use @myFile.spl to query Splunk API?
Hello All
I need to send a request to Splunk API from a Linux server but the Curl is complaining because the search argument is too long (could be up to 500000 chars). my question is: how we can use @myFile.spl to query splunk api?
This is what I have done so far but no luck yet
- curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d search=`echo $myVar`
error Argument list too long - curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d @query2.spl (Format1 in query2.spl file--> "search= | search index=myIndex ...." up to 500000 char)
error {"messages":[{"type":"FATAL","text":"Empty search."}]} - curl --noproxy '*' -k -H "Authorization: Splunk myToken"
https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d @query2.spl (Format2 in query2.spl file --> search= "| search index=myIndex ...." up to 500000 char -- difference with 3 is quotes position)
error {"messages":[{"type":"ERROR","text":"Error in 'SearchParser': Missing a search command before '\"'. Error at position '0' of search query '\"| search index...." - curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d search=@query2.spl
(Format2 in query2.spl file --> "| search index=myIndex ...." up to 500000 char -- difference with 3 is quotes position)
error {"messages":[{"type":"ERROR","text":"Error in 'SearchParser': Missing a search command before '@'. Error at position '0' of search query '@query2.spl'.","help":""}]}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All
I was able to solve this issue, I was digging on cURL capabilities and the answer is cURL -K configFile.
Below is how it works:
First suppose you require to send an extremely long query to Splunk API from your app or script with your cURL command (SPL search command in my case 121852 chars)
1. curl command
curl -K query.spl --noproxy '*' -H "Authorization: Splunk myTOKEN" https://mySearchHEAD:8089/servicesNS/admin/search/search/jobs
### --noproxy '*' it is optional and depends on your network setup
2. Your config file query.spl content and synaxis
[someUser@algunServidor:~/myDirectorio]$ more query.spl
-d exec_mode=oneshot ## this can be normal
-d output_mode=json ## this can be xml or csv
-d "search=| search index=myIndex sourcetype=mySourcetype _raw=*somethingIamLooking for* field1=something1 field2=something2 .... fieldN=somethingN earliest=-1h latest=now"
### really important to pay attention to the quotes in red above you need them to make it work.
I hope this help someone 🙂
Enterprise Security Content Update (ESCU) | New Releases
Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest
We’ve Got Education Validation!
