Splunk Dev

How to get REST API to respond with simple XML?

yuanliu
SplunkTrust
SplunkTrust

Using a really basic search like the one illustrated in Example: Create a search, my freshly installed 8.1.2 responds with a lot more unrelated information in a format that is very different from exemplified in the document, i.e., something like

<?xml version='1.0' encoding='UTF-8'?>
<response>
  <sid>1258421375.19</sid>
</response> 

 (which was also how an older server responded.) Instead, the new server's response is like

 

<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>jobs</title>
  <id>https://myserver:8089/services/search/jobs</id>
  <updated>2021-03-15T22:56:36+00:00</updated>
  <generator build="545206cc9f70" version="8.1.2"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>0</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <entry>
    <title>| archivebuckets</title>
    <id>https://myserver:8089/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</id>
    <updated>2021-03-15T22:17:01.161+00:00</updated>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1" rel="alternate"/>
    <published>2021-03-15T22:17:00.000+00:00</published>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search.log" rel="search.log"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search_telemetry.json" rel="search_telemetry.json"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/events" rel="events"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results" rel="results"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results_preview" rel="results_preview"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/timeline" rel="timeline"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/summary" rel="summary"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/control" rel="control"/>
    <author>
      <name>splunk-system-user</name>
    </author>
    <content type="text/xml">
      <s:dict>
        <s:key name="canSummarize">0</s:key>
        <s:key name="cursorTime">1970-01-01T00:00:00.000+00:00</s:key>
        <s:key name="defaultSaveTTL">604800</s:key>
        <s:key name="defaultTTL">600</s:key>
        <s:key name="delegate">scheduler</s:key>
        <s:key name="diskUsage">53248</s:key>
        <s:key name="dispatchState">DONE</s:key>
        <s:key name="doneProgress">1.00000</s:key>
        <s:key name="dropCount">0</s:key>
        <s:key name="earliestTime">1970-01-01T00:00:00.000+00:00</s:key>
        <s:key name="eventAvailableCount">0</s:key>
        <s:key name="eventCount">0</s:key>
        <s:key name="eventFieldCount">0</s:key>
        <s:key name="eventIsStreaming">1</s:key>
        <s:key name="eventIsTruncated">0</s:key>
        <s:key name="eventSearch">archivebuckets </s:key>
        <s:key name="eventSorting">none</s:key>
        <s:key name="isBatchModeSearch">0</s:key>
        <s:key name="isDone">1</s:key>
        <s:key name="isEventsPreviewEnabled">0</s:key>
        <s:key name="isFailed">0</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isPaused">0</s:key>
        <s:key name="isPreviewEnabled">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isRemoteTimeline">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isSavedSearch">1</s:key>
        <s:key name="isTimeCursored">0</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="keywords"></s:key>
        <s:key name="label">Bucket Copy Trigger</s:key>
        <s:key name="latestTime">2021-03-15T22:17:00.000+00:00</s:key>
        <s:key name="normalizedSearch"></s:key>
        <s:key name="numPreviews">0</s:key>
        <s:key name="optimizedSearch">| archivebuckets</s:key>
        <s:key name="phase0"></s:key>
        <s:key name="phase1">archivebuckets  | timeliner  remote=0 partial_commits=0 max_events_per_bucket=500000 fieldstats_update_maxperiod=60 bucket=0</s:key>
        <s:key name="pid">825113</s:key>
        <s:key name="priority">5</s:key>
        <s:key name="provenance">scheduler</s:key>
        <s:key name="remoteSearch"></s:key>
        <s:key name="reportSearch"></s:key>
        <s:key name="resultCount">0</s:key>
        <s:key name="resultIsStreaming">1</s:key>
        <s:key name="resultPreviewCount">0</s:key>
        <s:key name="runDuration">0.89</s:key>
        <s:key name="sampleRatio">1</s:key>
        <s:key name="sampleSeed">0</s:key>
        <s:key name="savedSearchLabel">{"owner":"nobody","app":"splunk_archiver","sharing":"app"}</s:key>
        <s:key name="scanCount">0</s:key>
        <s:key name="search">| archivebuckets</s:key>
        <s:key name="searchCanBeEventType">0</s:key>
        <s:key name="searchLatestTime">1615846620.000000000</s:key>
        <s:key name="searchTotalBucketsCount">0</s:key>
        <s:key name="searchTotalEliminatedBucketsCount">0</s:key>
        <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>
        <s:key name="statusBuckets">0</s:key>
        <s:key name="ttl">4825</s:key>
        <s:key name="performance">
          <s:dict>
            <s:key name="command.archivebuckets">
              <s:dict>
                <s:key name="duration_secs">0.858</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">0</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.timeliner">
              <s:dict>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">0</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.createdSearchResultInfrastructure">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.archivebuckets">
              <s:dict>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.finalWriteToDisk">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.readEventsInResults">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.timeline">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.writeStatus">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="startup.configuration">
              <s:dict>
                <s:key name="duration_secs">0.02</s:key>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
            <s:key name="startup.handoff">
              <s:dict>
                <s:key name="duration_secs">0.092</s:key>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="messages">
          <s:dict/>
        </s:key>
        <s:key name="request">
          <s:dict>
            <s:key name="auto_cancel">0</s:key>
            <s:key name="auto_pause">0</s:key>
            <s:key name="buckets">0</s:key>
            <s:key name="earliest_time"></s:key>
            <s:key name="index_earliest"></s:key>
            <s:key name="index_latest"></s:key>
            <s:key name="indexedRealtime"></s:key>
            <s:key name="indexedRealtimeMinSpan"></s:key>
            <s:key name="indexedRealtimeOffset"></s:key>
            <s:key name="latest_time">now</s:key>
            <s:key name="lookups">1</s:key>
            <s:key name="max_count">500000</s:key>
            <s:key name="max_time">0</s:key>
            <s:key name="reduce_freq">10</s:key>
            <s:key name="rt_backfill">0</s:key>
            <s:key name="rt_maximum_span"></s:key>
            <s:key name="sample_ratio">1</s:key>
            <s:key name="spawn_process">1</s:key>
            <s:key name="time_format">%FT%T.%Q%:z</s:key>
            <s:key name="ui_dispatch_app"></s:key>
            <s:key name="ui_dispatch_view"></s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                    <s:item>splunk-system-user</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                    <s:item>splunk-system-user</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="owner">splunk-system-user</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="sharing">global</s:key>
            <s:key name="app">splunk_archiver</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="ttl">7200</s:key>
          </s:dict>
        </s:key>
        <s:key name="searchProviders">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
...
  </entry>
  <entry>
...
  </entry>
...
</feed>

 

So instead of one simple <sid/> property in <response/>, the SID is embedded in one of nested <entry><s:dict><s:key/> properties, like <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>. (Even SID format is very different from the document.) In fact, the return is a job list instead of a single job.

I am not sure if this makes a difference: I am using an authorization token to authenticate with the API.  The <author/> of the response, meanwhile, is always splunk-system-user instead of the user that the token belongs to.

Additionally, I am not able to get any output when querying results of the returned SID.  In Splunk Web, all jobs submitted by splunk-system-user shows in application "splunk_archiver" instead of search which is the default application when I search in Splunk Web.  The user to which the authorization token belongs to has role of "user" and default app of "launcher" like any other user.

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

The problem is in my query format.  Search query must be submitted in POST but my query was sent via GET.

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The problem is in my query format.  Search query must be submitted in POST but my query was sent via GET.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...