Solved: Re: Splunk REST API | Validate SPL

kirchoff · ‎01-21-2022

Hi all,

I am working on a project that take SPL input from user. So, i need to be sure that SPL has a correct syntax without making a search with the SPL. I could not see but is there a validator for SPLs?

mcmaster · ‎04-11-2022

You can use /services/search/parser to validate SPL:

smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar" https://localhost:8089/services/search/parser | jq .
{
  "remoteSearch": "litsearch (index=foo sourcetype=bar) | fields  keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
  "normalizedSearch": "litsearch (index=foo sourcetype=bar) | fields keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
  "remoteTimeOrdered": true,
  "eventsSearch": "search index=foo sourcetype=bar",
  "eventsTimeOrdered": true,
  "eventsStreaming": true,
  "reportsSearch": "",
  "isStreamingSearch": true,
  "canSummarize": false,
  "commands": [
    {
      "command": "search",
      "rawargs": "index=foo sourcetype=bar",
      "pipeline": "streaming",
      "args": {
        "search": [
          "(index=foo sourcetype=bar)"
        ]
      },
      "isGenerating": true,
      "streamType": "SP_STREAM"
    }
  ]
}
smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar | bizzbuzz" https://localhost:8089/services/search/parser | jq .
{
  "messages": [
    {
      "type": "FATAL",
      "text": "Unknown search command 'bizzbuzz'."
    }
  ]
}
smcmaster@splunk ~ %

Successful parsing (such as the first example) results in 200, failure (such as the second example) results in a 400.

View solution in original post

mcmaster · ‎04-11-2022

You can use /services/search/parser to validate SPL:

smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar" https://localhost:8089/services/search/parser | jq .
{
  "remoteSearch": "litsearch (index=foo sourcetype=bar) | fields  keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
  "normalizedSearch": "litsearch (index=foo sourcetype=bar) | fields keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
  "remoteTimeOrdered": true,
  "eventsSearch": "search index=foo sourcetype=bar",
  "eventsTimeOrdered": true,
  "eventsStreaming": true,
  "reportsSearch": "",
  "isStreamingSearch": true,
  "canSummarize": false,
  "commands": [
    {
      "command": "search",
      "rawargs": "index=foo sourcetype=bar",
      "pipeline": "streaming",
      "args": {
        "search": [
          "(index=foo sourcetype=bar)"
        ]
      },
      "isGenerating": true,
      "streamType": "SP_STREAM"
    }
  ]
}
smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar | bizzbuzz" https://localhost:8089/services/search/parser | jq .
{
  "messages": [
    {
      "type": "FATAL",
      "text": "Unknown search command 'bizzbuzz'."
    }
  ]
}
smcmaster@splunk ~ %

Successful parsing (such as the first example) results in 200, failure (such as the second example) results in a 400.

Splunk REST API | Validate SPL

SDK

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Splunk REST API | Validate SPL

SDK

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES