Splunk Search

API search query help

thaghost99
Path Finder

hi me again.

 

need help.

this search string works perfectly fine when doing search int he gui

this search works fine in SPLUNK APP = XADATA

index=xa_data sourcetype=xaupload Time_!=timestamp earliest=-40m latest=now |timechart span=40m eval(sum(Total_)) by time | eval Total_= sum(NULL) |where NULL > 0

but when i use the same search via API

i am getting this error.

any help will do thank you.

 

thaghost99_0-1623099599458.png

 

Labels (1)
Tags (1)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @thaghost99  PIPE are usually fine, the same SPL that you use in UI can be used in API, expect explicit search command at the beginning of the query. which PIPE you are referring to?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @thaghost99 

The one you got is not an error 'messages' is an additional information that's being returned by API in outputode=json you can safely ignore it for your case. In this case Your search did not return any results, see the results[] is empty.   

To test this further you can set outputmode=raw and execute you won't get any output. Docs not covered how to get rid of these 'messages' in JSON mode.

If the search returns results you see the output as described here - Search endpoint descriptions - Splunk Documentation

----

An upvote would be appreciated if it helps!

Tags (1)
0 Karma

thaghost99
Path Finder

@venkatasri

hi thanks for the update. i think i found the problem. i think for some reason. it does not like the PIPE.

when i have the pipe it gives me that error. but when i remove it. it works just fine.

 

can you help?

 

 

0 Karma

thaghost99
Path Finder

this works....

curl -u admin:admin -k https://xxxx:8089/services/search/jobs --data-urlencode search="search index=xa_data sourcetype=xaupload earliest=-20m latest=now NOT records"

 

this does not.

curl -u admin:admin -k https://xxx:8089/services/searc h/jobs -d search="search index=xa_data sourcetype=xaupload earliest=-20m latest= now NOT records | table Total_"

NOTE: the Total_ is a valid field. and it works when doing it directly in the web splunk.

 

thaghost99_0-1623376325917.png

 

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @thaghost99 

As i initially mentioned, the message only appears in json mode regardless PIPE. output_mode=raw/csv never returns such message. See below.

WITH PIPE, message appears.

venkatasri_0-1623384696627.png

WITHOUT PIPE, message appears.

venkatasri_0-1623385037778.png

 

------

An upvote would be appreciated if it helps!

0 Karma

thaghost99
Path Finder

@venkatasri 

this works....

curl -u admin:admin -k https://xxxx:8089/services/search/jobs --data-urlencode search="search index=xa_data sourcetype=xaupload earliest=-20m latest=now NOT records"

 

this does not.

curl -u admin:admin -k https://xxx:8089/services/searc h/jobs -d search="search index=xa_data sourcetype=xaupload earliest=-20m latest= now NOT records | table Total_"

NOTE: the Total_ is a valid field. and it works when doing it directly in the web splunk.

 

thaghost99_0-1623376418188.png

 

 

0 Karma

thaghost99
Path Finder

@venkatasri 

 

i wish it works. but its empty results.

curl -u admin:admin -k https://xxxx:8089/services/search/jobs/mysearch_1/results --get -d output_mode=raw

 

thaghost99_0-1623411440982.png

 

 

should i log a ticket that it dont work?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...