Solved: How to get REST API to respond with simple XML?

yuanliu · ‎03-15-2021

Using a really basic search like the one illustrated in Example: Create a search, my freshly installed 8.1.2 responds with a lot more unrelated information in a format that is very different from exemplified in the document, i.e., something like

<?xml version='1.0' encoding='UTF-8'?>
<response>
  <sid>1258421375.19</sid>
</response>

(which was also how an older server responded.) Instead, the new server's response is like

<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>jobs</title>
  <id>https://myserver:8089/services/search/jobs</id>
  <updated>2021-03-15T22:56:36+00:00</updated>
  <generator build="545206cc9f70" version="8.1.2"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>0</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <entry>
    <title>| archivebuckets</title>
    <id>https://myserver:8089/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</id>
    <updated>2021-03-15T22:17:01.161+00:00</updated>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1" rel="alternate"/>
    <published>2021-03-15T22:17:00.000+00:00</published>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search.log" rel="search.log"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search_telemetry.json" rel="search_telemetry.json"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/events" rel="events"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results" rel="results"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results_preview" rel="results_preview"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/timeline" rel="timeline"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/summary" rel="summary"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/control" rel="control"/>
    <author>
      <name>splunk-system-user</name>
    </author>
    <content type="text/xml">
      <s:dict>
        <s:key name="canSummarize">0</s:key>
        <s:key name="cursorTime">1970-01-01T00:00:00.000+00:00</s:key>
        <s:key name="defaultSaveTTL">604800</s:key>
        <s:key name="defaultTTL">600</s:key>
        <s:key name="delegate">scheduler</s:key>
        <s:key name="diskUsage">53248</s:key>
        <s:key name="dispatchState">DONE</s:key>
        <s:key name="doneProgress">1.00000</s:key>
        <s:key name="dropCount">0</s:key>
        <s:key name="earliestTime">1970-01-01T00:00:00.000+00:00</s:key>
        <s:key name="eventAvailableCount">0</s:key>
        <s:key name="eventCount">0</s:key>
        <s:key name="eventFieldCount">0</s:key>
        <s:key name="eventIsStreaming">1</s:key>
        <s:key name="eventIsTruncated">0</s:key>
        <s:key name="eventSearch">archivebuckets </s:key>
        <s:key name="eventSorting">none</s:key>
        <s:key name="isBatchModeSearch">0</s:key>
        <s:key name="isDone">1</s:key>
        <s:key name="isEventsPreviewEnabled">0</s:key>
        <s:key name="isFailed">0</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isPaused">0</s:key>
        <s:key name="isPreviewEnabled">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isRemoteTimeline">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isSavedSearch">1</s:key>
        <s:key name="isTimeCursored">0</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="keywords"></s:key>
        <s:key name="label">Bucket Copy Trigger</s:key>
        <s:key name="latestTime">2021-03-15T22:17:00.000+00:00</s:key>
        <s:key name="normalizedSearch"></s:key>
        <s:key name="numPreviews">0</s:key>
        <s:key name="optimizedSearch">| archivebuckets</s:key>
        <s:key name="phase0"></s:key>
        <s:key name="phase1">archivebuckets  | timeliner  remote=0 partial_commits=0 max_events_per_bucket=500000 fieldstats_update_maxperiod=60 bucket=0</s:key>
        <s:key name="pid">825113</s:key>
        <s:key name="priority">5</s:key>
        <s:key name="provenance">scheduler</s:key>
        <s:key name="remoteSearch"></s:key>
        <s:key name="reportSearch"></s:key>
        <s:key name="resultCount">0</s:key>
        <s:key name="resultIsStreaming">1</s:key>
        <s:key name="resultPreviewCount">0</s:key>
        <s:key name="runDuration">0.89</s:key>
        <s:key name="sampleRatio">1</s:key>
        <s:key name="sampleSeed">0</s:key>
        <s:key name="savedSearchLabel">{"owner":"nobody","app":"splunk_archiver","sharing":"app"}</s:key>
        <s:key name="scanCount">0</s:key>
        <s:key name="search">| archivebuckets</s:key>
        <s:key name="searchCanBeEventType">0</s:key>
        <s:key name="searchLatestTime">1615846620.000000000</s:key>
        <s:key name="searchTotalBucketsCount">0</s:key>
        <s:key name="searchTotalEliminatedBucketsCount">0</s:key>
        <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>
        <s:key name="statusBuckets">0</s:key>
        <s:key name="ttl">4825</s:key>
        <s:key name="performance">
          <s:dict>
            <s:key name="command.archivebuckets">
              <s:dict>
                <s:key name="duration_secs">0.858</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">0</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.timeliner">
              <s:dict>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">0</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.createdSearchResultInfrastructure">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.archivebuckets">
              <s:dict>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.finalWriteToDisk">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.readEventsInResults">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.timeline">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.writeStatus">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="startup.configuration">
              <s:dict>
                <s:key name="duration_secs">0.02</s:key>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
            <s:key name="startup.handoff">
              <s:dict>
                <s:key name="duration_secs">0.092</s:key>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="messages">
          <s:dict/>
        </s:key>
        <s:key name="request">
          <s:dict>
            <s:key name="auto_cancel">0</s:key>
            <s:key name="auto_pause">0</s:key>
            <s:key name="buckets">0</s:key>
            <s:key name="earliest_time"></s:key>
            <s:key name="index_earliest"></s:key>
            <s:key name="index_latest"></s:key>
            <s:key name="indexedRealtime"></s:key>
            <s:key name="indexedRealtimeMinSpan"></s:key>
            <s:key name="indexedRealtimeOffset"></s:key>
            <s:key name="latest_time">now</s:key>
            <s:key name="lookups">1</s:key>
            <s:key name="max_count">500000</s:key>
            <s:key name="max_time">0</s:key>
            <s:key name="reduce_freq">10</s:key>
            <s:key name="rt_backfill">0</s:key>
            <s:key name="rt_maximum_span"></s:key>
            <s:key name="sample_ratio">1</s:key>
            <s:key name="spawn_process">1</s:key>
            <s:key name="time_format">%FT%T.%Q%:z</s:key>
            <s:key name="ui_dispatch_app"></s:key>
            <s:key name="ui_dispatch_view"></s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                    <s:item>splunk-system-user</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                    <s:item>splunk-system-user</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="owner">splunk-system-user</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="sharing">global</s:key>
            <s:key name="app">splunk_archiver</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="ttl">7200</s:key>
          </s:dict>
        </s:key>
        <s:key name="searchProviders">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
...
  </entry>
  <entry>
...
  </entry>
...
</feed>

So instead of one simple <sid/> property in <response/>, the SID is embedded in one of nested <entry><s:dict><s:key/> properties, like <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>. (Even SID format is very different from the document.) In fact, the return is a job list instead of a single job.

I am not sure if this makes a difference: I am using an authorization token to authenticate with the API. The <author/> of the response, meanwhile, is always splunk-system-user instead of the user that the token belongs to.

Additionally, I am not able to get any output when querying results of the returned SID. In Splunk Web, all jobs submitted by splunk-system-user shows in application "splunk_archiver" instead of search which is the default application when I search in Splunk Web. The user to which the authorization token belongs to has role of "user" and default app of "launcher" like any other user.

yuanliu · ‎03-15-2021

The problem is in my query format. Search query must be submitted in POST but my query was sent via GET.

View solution in original post

yuanliu · ‎03-15-2021

The problem is in my query format. Search query must be submitted in POST but my query was sent via GET.

How to get REST API to respond with simple XML?

rest API

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!