Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to get REST API to respond with simple XML?

yuanliu
SplunkTrust
SplunkTrust
‎03-15-2021 05:27 PM

Using a really basic search like the one illustrated in Example: Create a search, my freshly installed 8.1.2 responds with a lot more unrelated information in a format that is very different from exemplified in the document, i.e., something like

<?xml version='1.0' encoding='UTF-8'?>
<response>
  <sid>1258421375.19</sid>
</response> 

 (which was also how an older server responded.) Instead, the new server's response is like

 

<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>jobs</title>
  <id>https://myserver:8089/services/search/jobs</id>
  <updated>2021-03-15T22:56:36+00:00</updated>
  <generator build="545206cc9f70" version="8.1.2"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>0</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <entry>
    <title>| archivebuckets</title>
    <id>https://myserver:8089/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</id>
    <updated>2021-03-15T22:17:01.161+00:00</updated>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1" rel="alternate"/>
    <published>2021-03-15T22:17:00.000+00:00</published>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search.log" rel="search.log"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/search_telemetry.json" rel="search_telemetry.json"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/events" rel="events"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results" rel="results"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/results_preview" rel="results_preview"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/timeline" rel="timeline"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/summary" rel="summary"/>
    <link href="/services/search/jobs/scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1/control" rel="control"/>
    <author>
      <name>splunk-system-user</name>
    </author>
    <content type="text/xml">
      <s:dict>
        <s:key name="canSummarize">0</s:key>
        <s:key name="cursorTime">1970-01-01T00:00:00.000+00:00</s:key>
        <s:key name="defaultSaveTTL">604800</s:key>
        <s:key name="defaultTTL">600</s:key>
        <s:key name="delegate">scheduler</s:key>
        <s:key name="diskUsage">53248</s:key>
        <s:key name="dispatchState">DONE</s:key>
        <s:key name="doneProgress">1.00000</s:key>
        <s:key name="dropCount">0</s:key>
        <s:key name="earliestTime">1970-01-01T00:00:00.000+00:00</s:key>
        <s:key name="eventAvailableCount">0</s:key>
        <s:key name="eventCount">0</s:key>
        <s:key name="eventFieldCount">0</s:key>
        <s:key name="eventIsStreaming">1</s:key>
        <s:key name="eventIsTruncated">0</s:key>
        <s:key name="eventSearch">archivebuckets </s:key>
        <s:key name="eventSorting">none</s:key>
        <s:key name="isBatchModeSearch">0</s:key>
        <s:key name="isDone">1</s:key>
        <s:key name="isEventsPreviewEnabled">0</s:key>
        <s:key name="isFailed">0</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isPaused">0</s:key>
        <s:key name="isPreviewEnabled">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isRemoteTimeline">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isSavedSearch">1</s:key>
        <s:key name="isTimeCursored">0</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="keywords"></s:key>
        <s:key name="label">Bucket Copy Trigger</s:key>
        <s:key name="latestTime">2021-03-15T22:17:00.000+00:00</s:key>
        <s:key name="normalizedSearch"></s:key>
        <s:key name="numPreviews">0</s:key>
        <s:key name="optimizedSearch">| archivebuckets</s:key>
        <s:key name="phase0"></s:key>
        <s:key name="phase1">archivebuckets  | timeliner  remote=0 partial_commits=0 max_events_per_bucket=500000 fieldstats_update_maxperiod=60 bucket=0</s:key>
        <s:key name="pid">825113</s:key>
        <s:key name="priority">5</s:key>
        <s:key name="provenance">scheduler</s:key>
        <s:key name="remoteSearch"></s:key>
        <s:key name="reportSearch"></s:key>
        <s:key name="resultCount">0</s:key>
        <s:key name="resultIsStreaming">1</s:key>
        <s:key name="resultPreviewCount">0</s:key>
        <s:key name="runDuration">0.89</s:key>
        <s:key name="sampleRatio">1</s:key>
        <s:key name="sampleSeed">0</s:key>
        <s:key name="savedSearchLabel">{"owner":"nobody","app":"splunk_archiver","sharing":"app"}</s:key>
        <s:key name="scanCount">0</s:key>
        <s:key name="search">| archivebuckets</s:key>
        <s:key name="searchCanBeEventType">0</s:key>
        <s:key name="searchLatestTime">1615846620.000000000</s:key>
        <s:key name="searchTotalBucketsCount">0</s:key>
        <s:key name="searchTotalEliminatedBucketsCount">0</s:key>
        <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>
        <s:key name="statusBuckets">0</s:key>
        <s:key name="ttl">4825</s:key>
        <s:key name="performance">
          <s:dict>
            <s:key name="command.archivebuckets">
              <s:dict>
                <s:key name="duration_secs">0.858</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">0</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.timeliner">
              <s:dict>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">0</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.createdSearchResultInfrastructure">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.archivebuckets">
              <s:dict>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.finalWriteToDisk">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.readEventsInResults">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.timeline">
              <s:dict>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.writeStatus">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="startup.configuration">
              <s:dict>
                <s:key name="duration_secs">0.02</s:key>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
            <s:key name="startup.handoff">
              <s:dict>
                <s:key name="duration_secs">0.092</s:key>
                <s:key name="invocations">2</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="messages">
          <s:dict/>
        </s:key>
        <s:key name="request">
          <s:dict>
            <s:key name="auto_cancel">0</s:key>
            <s:key name="auto_pause">0</s:key>
            <s:key name="buckets">0</s:key>
            <s:key name="earliest_time"></s:key>
            <s:key name="index_earliest"></s:key>
            <s:key name="index_latest"></s:key>
            <s:key name="indexedRealtime"></s:key>
            <s:key name="indexedRealtimeMinSpan"></s:key>
            <s:key name="indexedRealtimeOffset"></s:key>
            <s:key name="latest_time">now</s:key>
            <s:key name="lookups">1</s:key>
            <s:key name="max_count">500000</s:key>
            <s:key name="max_time">0</s:key>
            <s:key name="reduce_freq">10</s:key>
            <s:key name="rt_backfill">0</s:key>
            <s:key name="rt_maximum_span"></s:key>
            <s:key name="sample_ratio">1</s:key>
            <s:key name="spawn_process">1</s:key>
            <s:key name="time_format">%FT%T.%Q%:z</s:key>
            <s:key name="ui_dispatch_app"></s:key>
            <s:key name="ui_dispatch_view"></s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                    <s:item>splunk-system-user</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                    <s:item>splunk-system-user</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="owner">splunk-system-user</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="sharing">global</s:key>
            <s:key name="app">splunk_archiver</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="ttl">7200</s:key>
          </s:dict>
        </s:key>
        <s:key name="searchProviders">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
...
  </entry>
  <entry>
...
  </entry>
...
</feed>

 

So instead of one simple <sid/> property in <response/>, the SID is embedded in one of nested <entry><s:dict><s:key/> properties, like <s:key name="sid">scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1615846620_1</s:key>. (Even SID format is very different from the document.) In fact, the return is a job list instead of a single job.

I am not sure if this makes a difference: I am using an authorization token to authenticate with the API.  The <author/> of the response, meanwhile, is always splunk-system-user instead of the user that the token belongs to.

Additionally, I am not able to get any output when querying results of the returned SID.  In Splunk Web, all jobs submitted by splunk-system-user shows in application "splunk_archiver" instead of search which is the default application when I search in Splunk Web.  The user to which the authorization token belongs to has role of "user" and default app of "launcher" like any other user.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-15-2021 05:58 PM

The problem is in my query format.  Search query must be submitted in POST but my query was sent via GET.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-15-2021 05:58 PM

The problem is in my query format.  Search query must be submitted in POST but my query was sent via GET.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...