Re: How to get data from splunk with REST API?

Janis

Hey together,

I'm trying to fetch data from splunk via REST API in a react application.

When I try to create a search job with this code (You can try this code in the console of your browser in the splunk web!):

fetch('/splunkd/services/search/jobs', {
credentials: 'include',
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded'
}),
body: new URLSearchParams({
'search': 'search |makeresults 2',
'output_mode': 'json'
}),
redirect: 'follow'
}).then((res) => res.text()).then((data) => console.log(data))

I'm getting all the search jobs who are currently running. When I'm looking in the REST API for /splunkd/services/search/jobs I would expect that the response is a sid of the the new search job.

I tried it with postman and there I get a response I expect like:
{
"sid": "123456789.123"
}

What ever I try I doesnt work. What am I missing? I also set X-Splunk-Form-Key and X-Requested-With. Still doesnt work.
Is there a difference using /splunkd or https://localhost...?

I know there are libaries with creatSearchJob() and getData(). They worked, but couldnt use it well with Query react.

PrewinThomas

@Janis
Can you try with management port

https://localhost:8089/services/search/jobs?output_mode=json

and basic authentication

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Janis

I tried it but I get the error: "Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID"
But this Problem seems to be a CORS-problem because I dont setup the certifications.

I think in a production enviroment I can't manage this even I will get this to work, so I will try something else (see other response)

victor_menezes

Hi @Janis ,

That may happen because your code is somehow passing it as GET instead of POST (though I see the POST method there, it may not being interpreted as you want. Also, your search string is invalid. See, you are passing it as "search | makeresults 2", so search command is getting makeresults to be interpreted as a search string instead of a command.

Try to execute with the search string as simple as "| makeresults count=2"

Ideally, try via REST Url/port instead of splunkd. Not that it doesn't work fine there, but using Rest is easier to manage/debug IMO.

So, what about something like this:
const options = {
method: 'GET',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
Authorization: 'Basic <your_auth>'
},
body: new URLSearchParams({search: '| makeresults count=2', output_mode: 'json'})
};

fetch('https://<your_host>:<your_rest_port>/services/search/jobs', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));

Janis

Yeah, I looks like it send only a GET request, because the answer are the current search jobs.
Your code dont work, because a GET method dont accept a body, I also tried with POST, but same problem like in PrewinThomas answer.

So I tried the libary @splunk/splunk-utils/search. And do a createSearchJob(). Then I looked in the dev-tools and got this Request. I modified it a bit :

fetch('http://127.0.0.1:8000/de-DE/splunkd/__raw/services/search/jobs', {
    headers: {
        'content-type': 'application/x-www-form-urlencoded',
        'x-requested-with': 'XMLHttpRequest',
        'x-splunk-form-key': '<YOUR_KEY>',
    },
    body: new URLSearchParams({
        search: 'search | makeresults 2',
        output_mode: 'json',
    }),
    method: 'POST',
})
    .then((r) => r.json())
    .then((data) => console.log(data));

And this work! Anyways I guess I will first stick to the libary. Maybe later I can improve fetching the data.

Here I get the request e.g. as fetch(). The x-splunk-form-key you can find other the cookies "splunkweb_csrf_token_8000".

victor_menezes

Nice!

Actually in my response I meant POST, but I ended up typing GET as in my mind I was still thinking about the fact that you were sending GET without knowing... Forgive me, I should have double checked my code 🙂

This issue that you mentioned, "Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID", refers to specific certificate validation issues. Most likely your instance is using self signed certs, so REACT will find those and hit those cert authority issues just to protect the client as we see for example in the browser when you are trying to do the same.

Unfortunately there is no way around it like skipping the verification for REACT, but if you install a trusted certificate in your Splunk instance this won't be a problem anymore.
Just saying, as you may want to consider that in the future.

For now, as you got it working with the lib directly, go for it 🙂

Janis

Thanks for the advice! I will keep that in mind, when I try it again.
Now I will focus on the application and play with data and visualization 🙌.

See You!

How to get data from splunk with REST API?

development

using Splunk Enterprise

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

Are you a member of the Splunk Community?