Splunk Enterprise

rest api search not working when using cs_uri_stem/cs_uri_query in the query

manoharkalva
Engager

I can able to search from splunk web using the below string:

cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName

but when i use the same search string while REST API call's its not working.

curl -ku username:paswd https://splunkapiurl:port/servicesNS/admin/search/search/jobs/export -d search=“search cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName” -d output_mode=csv

manoharkalva_1-1607678614331.png

 

Please help me out resolving the issue.

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

The problem is because of double-quotes inside the search string. Please try below;

curl -ku username:paswd https://splunkapiurl:port/services/search/jobs/export --data-urlencode search='search cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName' -d output_mode=csv
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

manoharkalva
Engager

Thank you for quick turn around.

Well, i tried that as well and this time different issue

manoharkalva_0-1607693395767.png

i'm wondering how the same string works in splunk web and doesn't when used in CURL.

if i use double quotes as is and remove search keyword from the search string i'm getting below error:

manoharkalva_0-1607693870597.png

Thanks,
Manohar

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Did you try exactly using my endpoint url and parameters? It seems you didn't add --data-urlencode parameter. When I tested it works fine. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

manoharkalva
Engager

Hi, i did exactly as you suggested. Here is the screenshot:

manoharkalva_0-1607971220411.png

 

i even removed -d after /jobs/export but looks like same error.

Could you please examine the query and tell me which part of it i did wrong.

This would really help me a lot. Thanks in advance.

0 Karma

scelikok
SplunkTrust
SplunkTrust

I was testing on Linux 😀 , curl is working different on Windows. Below (changed single quotes with double quotes )should work on Windows;

curl -ku username:paswd https://splunkapiurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

manoharkalva
Engager

I Did and this time different issue, My sincere apologies for taking your time, but have no other option than splunk community. Kindly help me out.

 

manoharkalva_0-1607974994269.png

If i remove output_mode=csv, here is what i got. Sorry im really new to Splunk.

manoharkalva_0-1607975281051.png

i installed curl using pip install curl and the version is 

manoharkalva_1-1607975426283.png

 

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

@manoharkalva , no problem 😉 

I found out that the problem is because of the spaces in "output_mode = csv".

Please try with output_mode=csv

because of spaces "output_mode" raises an error, aslo "=" and "csv" words cannot processed. 

I hope you will get the results now 😀

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

manoharkalva
Engager

Hi, 

I tried removing spaces as well but i din't get any results. when i used the same query in splunk i'm getting data.

Also,

when i removed output_mode, i am getting different error.

manoharkalva_0-1608112747133.png

Here is the query i used:

curl -k -u UserName:Passwd https://splunkurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/wkReport.xls" AND (cs_uri_query="reportName=Pay+Certification" OR cs_uri_query="reportName=CS+Monthly+Payroll+Cost*")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv

and also tried replacing double quotes with single quotes for the string.

manoharkalva_1-1608112906083.png

query: curl -k -u UserName:Passwd https://splunkurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/wkReport.xls" AND (cs_uri_query="reportName=Pay+Certification" OR cs_uri_query="reportName=CS+Monthly+Payroll+Cost*")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv

Tags (1)
0 Karma

manoharkalva
Engager
i tried escape character and this worked perfectly fine: curl -k -u user:pass https://server:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem=\"*/reporting/wkReport.xls\" AND (cs_uri_query=\"reportName=Pay+Certification\" OR cs_uri_query=\"reportName=CS+Monthly+Payroll+Cost*\")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...