Splunk Dev

How to get REST API to respond with simple XML?

yuanliu
SplunkTrust
SplunkTrust

Using a really basic search like the one illustrated in Example: Create a search, my freshly installed 8.1.2 responds with a lot more unrelated information in a format that is very different from exemplified in the document, i.e., something like

<?xml version='1.0' encoding='UTF-8'?>
<response>
  <sid>1258421375.19</sid>
</response> 

 (which was also how an older server responded.) Instead, the new server's response is like

 

<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>jobs</title>
  <id>https://myserver:8089/services/search/jobs</id>
  <updated>2021-03-15T22:56:36+00:00</updated>
  <generator build="545206cc9f70" version="8.1.2"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>0</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <entry>
    <title>| archivebuckets</title>
    <id>https://myserver:8089/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</id>
    <updated>2021-03-15T22:17:01.161+00:00</updated>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1" rel="alternate"/>
    <published>2021-03-15T22:17:00.000+00:00</published>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search.log" rel="search.log"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search_telemetry.json" rel="search_telemetry.json"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/events" rel="events"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results" rel="results"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results_preview" rel="results_preview"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/timeline" rel="timeline"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/summary" rel="summary"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/control" rel="control"/>
    <author>
      <name>splunk-system-user</name>
    </author>
    <content type="text/xml">
      <s:dict>
        <s:key name="canSummarize">0</s:key>
        <s:key name="cursorTime">1970-01-01T00:00:00.000+00:00</s:key>
        <s:key name="defaultSaveTTL">604800</s:key>
        <s:key name="defaultTTL">600</s:key>
        <s:key name="delegate">scheduler</s:key>
        <s:key name="diskUsage">53248</s:key>
        <s:key name="dispatchState">DONE</s:key>
        <s:key name="doneProgress">1.00000</s:key>
        <s:key name="dropCount">0</s:key>
        <s:key name="earliestTime">1970-01-01T00:00:00.000+00:00</s:key>
        <s:key name="eventAvailableCount">0</s:key>
        <s:key name="eventCount">0</s:key>
        <s:key name="eventFieldCount">0</s:key>
        <s:key name="eventIsStreaming">1</s:key>
        <s:key name="eventIsTruncated">0</s:key>
        <s:key name="eventSearch">archivebuckets </s:key>
        <s:key name="eventSorting">none</s:key>
        <s:key name="isBatchModeSearch">0</s:key>
        <s:key name="isDone">1</s:key>
        <s:key name="isEventsPreviewEnabled">0</s:key>
        <s:key name="isFailed">0</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isPaused">0</s:key>
        <s:key name="isPreviewEnabled">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isRemoteTimeline">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isSavedSearch">1</s:key>
        <s:key name="isTimeCursored">0</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="keywords"></s:key>
        <s:key name="label">Bucket Copy Trigger</s:key>
        <s:key name="latestTime">2021-03-15T22:17:00.000+00:00</s:key>
        <s:key name="normalizedSearch"></s:key>
        <s:key name="numPreviews">0</s:key>
        <s:key name="optimizedSearch">| archivebuckets</s:key>
        <s:key name="phase0"></s:key>
        <s:key name="phase1">archivebuckets  | timeliner  remote=0 partial_commits=0 max_events_per_bucket=500000 fieldstats_update_maxperiod=60 bucket=0</s:key>
        <s:key name="pid">825113</s:key>
        <s:key name="priority">5</s:key>
        <s:key name="provenance">scheduler</s:key>
        <s:key name="remoteSearch"></s:key>
        <s:key name="reportSearch"></s:key>
        <s:key name="resultCount">0</s:key>
        <s:key name="resultIsStreaming">1</s:key>
        <s:key name="resultPreviewCount">0</s:key>
        <s:key name="runDuration">0.89</s:key>
        <s:key name="sampleRatio">1</s:key>
        <s:key name="sampleSeed">0</s:key>
        <s:key name="savedSearchLabel">{"owner":"nobody","app":"splunk_archiver","sharing":"app"}</s:key>
        <s:key name="scanCount">0</s:key>
        <s:key name="search">| archivebuckets</s:key>
        <s:key name="searchCanBeEventType">0</s:key>
        <s:key name="searchLatestTime">1615846620.000000000</s:key>
        <s:key name="searchTotalBucketsCount">0</s:key>
        <s:key name="searchTotalEliminatedBucketsCount">0</s:key>
        <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>
        <s:key name="statusBuckets">0</s:key>
        <s:key name="ttl">4825</s:key>
        <s:key name="performance">
          <s:dict>
            <s:key name="command.archivebuckets">
              <s:dict>
                <s:key name="duration_secs">0.858</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">0</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.timeliner">
              <s:dict>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">0</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.createdSearchResultInfrastructure">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.archivebuckets">
              <s:dict>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.finalWriteToDisk">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.readEventsInResults">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.timeline">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.writeStatus">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="startup.configuration">
              <s:dict>
                <s:key name="duration_secs">0.02</s:key>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
            <s:key name="startup.handoff">
              <s:dict>
                <s:key name="duration_secs">0.092</s:key>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="messages">
          <s:dict/>
        </s:key>
        <s:key name="request">
          <s:dict>
            <s:key name="auto_cancel">0</s:key>
            <s:key name="auto_pause">0</s:key>
            <s:key name="buckets">0</s:key>
            <s:key name="earliest_time"></s:key>
            <s:key name="index_earliest"></s:key>
            <s:key name="index_latest"></s:key>
            <s:key name="indexedRealtime"></s:key>
            <s:key name="indexedRealtimeMinSpan"></s:key>
            <s:key name="indexedRealtimeOffset"></s:key>
            <s:key name="latest_time">now</s:key>
            <s:key name="lookups">1</s:key>
            <s:key name="max_count">500000</s:key>
            <s:key name="max_time">0</s:key>
            <s:key name="reduce_freq">10</s:key>
            <s:key name="rt_backfill">0</s:key>
            <s:key name="rt_maximum_span"></s:key>
            <s:key name="sample_ratio">1</s:key>
            <s:key name="spawn_process">1</s:key>
            <s:key name="time_format">%FT%T.%Q%:z</s:key>
            <s:key name="ui_dispatch_app"></s:key>
            <s:key name="ui_dispatch_view"></s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                    <s:item>splunk-system-user</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                    <s:item>splunk-system-user</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="owner">splunk-system-user</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="sharing">global</s:key>
            <s:key name="app">splunk_archiver</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="ttl">7200</s:key>
          </s:dict>
        </s:key>
        <s:key name="searchProviders">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
...
  </entry>
  <entry>
...
  </entry>
...
</feed>

 

So instead of one simple <sid/> property in <response/>, the SID is embedded in one of nested <entry><s:dict><s:key/> properties, like <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>. (Even SID format is very different from the document.) In fact, the return is a job list instead of a single job.

I am not sure if this makes a difference: I am using an authorization token to authenticate with the API.  The <author/> of the response, meanwhile, is always splunk-system-user instead of the user that the token belongs to.

Additionally, I am not able to get any output when querying results of the returned SID.  In Splunk Web, all jobs submitted by splunk-system-user shows in application "splunk_archiver" instead of search which is the default application when I search in Splunk Web.  The user to which the authorization token belongs to has role of "user" and default app of "launcher" like any other user.

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

The problem is in my query format.  Search query must be submitted in POST but my query was sent via GET.

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The problem is in my query format.  Search query must be submitted in POST but my query was sent via GET.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...