Splunk Dev

Why does rest API post returns all search in my angular app (It seems the search is not getting parsed)?

Pat
Path Finder

So I have an angular app that compiles and it runs and I get a response but it is sending me all the data.  I have compared it to a post man call where I put nothing in the body and it seems to be the same so I think the issue is that the post is not sending in the body data.  I have tried to send it both in the body and using the params feature.  One complication is that when I console log params I don't ge the specifics like I do with the body.  Ok so im not going to bother putting in the header as it has the token in it and the call does go through so it seems like the preflight and everything is working.  For the body approach I am using:

const body=JSON.stringify({
search: 'search index=dct_claims_dev dct_tenantID=10061675a sourcetype=\"mscs:azure:eventhub\" \"body.ApplicationName\"=* correlation_id!=null log_level=\"*\" \"body.@timestamp\"=\"*\" message=\"*\" \"body.Data\"=\"*\" | rex field=message \"(?i)(?<Message>.+?)(stack|\\Z)\" | rex field=body.Data \"(?i)(?<Data>.+?)(stack|\\Z)\" | rename \"body.@timestamp\" as \"Timestamp\", \"body.ApplicationName\" as Source, \"correlation_id\" as \"CorrelationId\", \"log_level\" as \"LogLevel\" | table Timestamp dct_tenantID Source dest CorrelationId LogLevel Message Data | sort - Timestamp',
earliest_time: '-5m',
latest_time: 'now',
adhoc_search_level: 'fast'
});
this.http.post('/api', body, { responseType: 'text', headers: headers }).subscribe(response => {
this.apiResult = response;
console.log(body);
console.log(response);

and the console log of body (remember response is just everything) is:

{"search":"search index=dct_claims_dev dct_tenantID=10061675a sourcetype=\"mscs:azure:eventhub\" \"body.ApplicationName\"=* correlation_id!=null log_level=\"*\" \"body.@timestamp\"=\"*\" message=\"*\" \"body.Data\"=\"*\" | rex field=message \"(?i)(?<Message>.+?)(stack|\\Z)\" | rex field=body.Data \"(?i)(?<Data>.+?)(stack|\\Z)\" | rename \"body.@timestamp\" as \"Timestamp\", \"body.ApplicationName\" as Source, \"correlation_id\" as \"CorrelationId\", \"log_level\" as \"LogLevel\" | table Timestamp dct_tenantID Source dest CorrelationId LogLevel Message Data | sort - Timestamp","earliest_time":"-5m","latest_time":"now","adhoc_search_level":"fast"}

While the params version I have is:

const params = new HttpParams()
.set('search', 'search index=dct_claims_dev')
.set('earliest_time', '-5m')
.set('latest_time', 'now')
.set('adhoc_search_level', 'fast');

const options = {
headers: headers,
params: params
};

this.http.post('/api', null, { responseType: 'text', headers: headers, params: params }).subscribe(response => {
this.apiResult = response;
console.log(params);
console.log(headers);
console.log(response);
});

and the console log of headers and params (I put in headers because I wanted to compare the output to params):

HttpParams {updates: null, cloneFrom: null, encoder: HttpUrlEncodingCodec, map: Map(4)}
app.component.ts:33 HttpHeaders {normalizedNames: Map(2), lazyUpdate: null, lazyInit: null, headers: Map(2)}

 

Any ideas

Labels (2)
0 Karma
1 Solution

Pat
Path Finder

I got this figured out so going to answer my own question here.  Turns out the params version will work if its put into body and if its concatenated.  So its the same params one but take params out of options and replace the null body with params.toString().  Hope this helps somebody.

View solution in original post

0 Karma

Pat
Path Finder

I got this figured out so going to answer my own question here.  Turns out the params version will work if its put into body and if its concatenated.  So its the same params one but take params out of options and replace the null body with params.toString().  Hope this helps somebody.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...