Splunk Enterprise

rest api search not working when using cs_uri_stem/cs_uri_query in the query

manoharkalva
Engager

I can able to search from splunk web using the below string:

cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName

but when i use the same search string while REST API call's its not working.

curl -ku username:paswd https://splunkapiurl:port/servicesNS/admin/search/search/jobs/export -d search=“search cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName” -d output_mode=csv

manoharkalva_1-1607678614331.png

 

Please help me out resolving the issue.

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

The problem is because of double-quotes inside the search string. Please try below;

curl -ku username:paswd https://splunkapiurl:port/services/search/jobs/export --data-urlencode search='search cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName' -d output_mode=csv
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

manoharkalva
Engager

Thank you for quick turn around.

Well, i tried that as well and this time different issue

manoharkalva_0-1607693395767.png

i'm wondering how the same string works in splunk web and doesn't when used in CURL.

if i use double quotes as is and remove search keyword from the search string i'm getting below error:

manoharkalva_0-1607693870597.png

Thanks,
Manohar

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Did you try exactly using my endpoint url and parameters? It seems you didn't add --data-urlencode parameter. When I tested it works fine. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

manoharkalva
Engager

Hi, i did exactly as you suggested. Here is the screenshot:

manoharkalva_0-1607971220411.png

 

i even removed -d after /jobs/export but looks like same error.

Could you please examine the query and tell me which part of it i did wrong.

This would really help me a lot. Thanks in advance.

0 Karma

scelikok
SplunkTrust
SplunkTrust

I was testing on Linux 😀 , curl is working different on Windows. Below (changed single quotes with double quotes )should work on Windows;

curl -ku username:paswd https://splunkapiurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

manoharkalva
Engager

I Did and this time different issue, My sincere apologies for taking your time, but have no other option than splunk community. Kindly help me out.

 

manoharkalva_0-1607974994269.png

If i remove output_mode=csv, here is what i got. Sorry im really new to Splunk.

manoharkalva_0-1607975281051.png

i installed curl using pip install curl and the version is 

manoharkalva_1-1607975426283.png

 

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

@manoharkalva , no problem 😉 

I found out that the problem is because of the spaces in "output_mode = csv".

Please try with output_mode=csv

because of spaces "output_mode" raises an error, aslo "=" and "csv" words cannot processed. 

I hope you will get the results now 😀

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

manoharkalva
Engager

Hi, 

I tried removing spaces as well but i din't get any results. when i used the same query in splunk i'm getting data.

Also,

when i removed output_mode, i am getting different error.

manoharkalva_0-1608112747133.png

Here is the query i used:

curl -k -u UserName:Passwd https://splunkurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/wkReport.xls" AND (cs_uri_query="reportName=Pay+Certification" OR cs_uri_query="reportName=CS+Monthly+Payroll+Cost*")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv

and also tried replacing double quotes with single quotes for the string.

manoharkalva_1-1608112906083.png

query: curl -k -u UserName:Passwd https://splunkurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/wkReport.xls" AND (cs_uri_query="reportName=Pay+Certification" OR cs_uri_query="reportName=CS+Monthly+Payroll+Cost*")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv

Tags (1)
0 Karma

manoharkalva
Engager
i tried escape character and this worked perfectly fine: curl -k -u user:pass https://server:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem=\"*/reporting/wkReport.xls\" AND (cs_uri_query=\"reportName=Pay+Certification\" OR cs_uri_query=\"reportName=CS+Monthly+Payroll+Cost*\")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv
0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...