Splunk Search

HTTP Post request using REST API not returning results

mznikkip
Engager

I am using ASP.NET with C# to call a search job in Splunk. When I run the search in Splunk, it returns results but the HTTP Post is not working. Here is the code:

string URL = "https://1.1.1.1:8089/servicesNS/admin/MyApp/search/jobs/export/";

HttpWebRequest request = (HttpWebRequest)WebRequest.Create(URL);

request.UserAgent = "GUI";

request.Method = "POST;

request.ContentType = "application/x-www-form-urlencoded";

string requestVars = String.Format("output_mode=json&search=search%20192.168.1.1");

request.ContentLength = requestVars.Length;

Please help.

Tags (4)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

As indicated in the docs, this endpoint expects a GET, not a POST.

View solution in original post

Damien_Dallimor
Ultra Champion

Firstly , this endpoint uses the GET HTTP Method.The docs simply make reference to another endpoint with similar parameters that uses the POST HTTP Method.
That aside , lets debug why you are not getting results.
What HTTP status code is being returned ?
Are there any error messages or diagnostic outputs you can share ?
I can't see where you are setting your session key in the Authorization header.
ie:
request.Authorization = "Splunk 1611a2464777534359db26545612e";

Furthermore , have you checked out our Developer SDKs , they make programming against the Splunk REST API a lot simpler than coding directly at the REST layer where it is easy to make mistakes. There is a C# SDK in a private repository on Github also.

gkanapathy
Splunk Employee
Splunk Employee

if it's too big, you might instead run with the search/jobs (not search/jobs/export) endpoint (it takes POST with the same parameters), maybe using the exec_mode=blocking. You'll then get back a search id, and then you can page through the results and request them from the server under your control. that's probably the better approach for extremely large result sets that need to be chunked.

0 Karma

mznikkip
Engager

Ahh right. Good catch!

...
string vars = String.Format("output_mode=json&search=search%20192.1.1.1");
string url = "https://1.1.1.1:8089/servicesNS/admin/MyApp/search/jobs/export?" + vars;
using (WebResponse response = request.GetResponse())
{
using (Stream stream = response.GetResponseStream())
{
StreamReader reader = new StreamReader(stream);
responseText = reader.ReadToEnd();
}
}

The request now is sent but in trying to retrieve the response, the data is huge. Trying to break it up into chunks of data to display in a table. Thanks for your help!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I also don't see anywhere where the string vars is attached to the request object (or appended to the URL)

mznikkip
Engager

As an FYI, long ago I used the POST which I had no problems with. I'm assuming during an upgrade that the endpoint functionality changed from POST to GET.

0 Karma

mznikkip
Engager

string url = "https://1.1.1.1:8089/servicesNS/admin/MyApp/search/jobs/export/";

HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);

req.Credentials = new NetworkCredential(user, pw);

ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };

request.Method = "GET";

string vars = String.Format("output_mode=json&search=search%20192.1.1.1");

using (WebResponse response = request.GetResponse()){..}
...

When I run this code, an exception occurs at 'using (WebResponse response = request.GetResponse())'- 400 error bad request.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

As indicated in the docs, this endpoint expects a GET, not a POST.

gkanapathy
Splunk Employee
Splunk Employee

It does not say it is identical to a POST. It says it takes the same parameters as a POST to a different endpoint.

mznikkip
Engager

It says it is identical to POST, so if I change it to a GET there are still no results returned.

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...