Fix error in splunk-utils/search: GetData API Vers...

ohbuckeyeio · ‎02-14-2023

Hello,

I am using the splunk-utils SDK to try and search Splunk 9.0.4 from an external app. I am able to submit an initial search with a bearer token and can see my local instance receiving it and returning a search SID. However, when I try to retrieve the results with getData, I get an error saying "Invalid Version: undefined"

// https://splunkui.splunk.com/Packages/splunk-utils/Search
const n = await getData(
  sid,
  "results",
  { output_mode: "json_cols" },
  { splunkdPath: serverURL, app: "myapp", owner: "nobody"},
  headers
)

Tracing the node_modules, I can see that the getData in search.js is trying to figure out the version, but I am not following how. This seems to be the line that is determining if v2 should be used:

  // Use V2 endpoints only where available
  // https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#Semantic_API_versioning
  var V2_ENDPOINTS = ['results', 'results_preview', 'events'];
  var endpointVersion = V2_ENDPOINTS.includes(endpoint) && gteSplunkVersion(_config.versionLabel, '9.0.2', '9.0.2209') ? '/v2' : '';

I have been looking at this example from @ryanoconnor and @nhaq but am not seeing how the right API version is being determined.

https://github.com/splunk/react_search_example/blob/main/src/App.js

Any ideas how to update my call to tell my getData what version to use? I am assuming this is unhappy about a missing version but maybe it's something else...

Full Error:

index.js:1 TypeError: Invalid Version: undefined
    at new SemVer (semver.js:19:1)
    at patch (patch.js:2:1)
    at gteSplunkVersion (search.js:53:1)
    at getData (search.js:326:1)
    at loadResults (splunksearch.js:80:1)
    at retrieveJob (splunksearch.js:56:1)

ohbuckeyeio · ‎02-14-2023

Adding additional information.

Looking further at the search.js's getData implementation, I might have a versioning issue happening with my splunk-utils package. The notes for getData suggest it is doing a GET:

https://splunkui.splunk.com/Packages/splunk-utils/Search

Makes a GET request to the search/${endpointVersion}/jobs/${search_id}/${endpoint} REST API endpoint to get data from the specified search job.

My version of the package is doing a POST. These changes appear to have been pushed in the last few weeks according to the change log.

  if (parameters.search && endpointVersion === '/v2') {
    return fetch(url, _objectSpread(_objectSpread({}, baseFetchInit), {}, {
      method: 'POST',
      body: qs
    })).then((0, _fetch.handleResponse)([200, 204]))["catch"]((0, _fetch.handleError)("Failed to get ".concat(endpoint || 'status', " for job ").concat(sid)));
  }

ohbuckeyeio · ‎02-14-2023

Sure enough, downgrading to version 2.2.4 fixed my issue. There must be something fundamentally different with the latest 2.3.1 version that is not playing well with an externally-based application calling Splunk.

npm install @splunk/splunk-utils@"2.2.4"

The 2.3.1 version appears to be reliant on the Config package, but running outside of a Splunk environment, I do not see how it is possible to gather those facts and the documentation on this endpoint is lacking.

https://splunkui.splunk.com/Packages/splunk-utils/Config

Does the 2.3.1 version of getData require a cookie instead of a bearer token in a header? What am I missing? I might need to move this to a case with Splunk.

Fix error in splunk-utils/search: GetData API Version undefined?

SDK

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...