Splunk Search

HTTP Post request using REST API not returning results

Engager

I am using ASP.NET with C# to call a search job in Splunk. When I run the search in Splunk, it returns results but the HTTP Post is not working. Here is the code:

string URL = "https://1.1.1.1:8089/servicesNS/admin/MyApp/search/jobs/export/";

HttpWebRequest request = (HttpWebRequest)WebRequest.Create(URL);

request.UserAgent = "GUI";

request.Method = "POST;

request.ContentType = "application/x-www-form-urlencoded";

string requestVars = String.Format("output_mode=json&search=search%20192.168.1.1");

request.ContentLength = requestVars.Length;

Please help.

Tags (4)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

As indicated in the docs, this endpoint expects a GET, not a POST.

View solution in original post

Ultra Champion

Firstly , this endpoint uses the GET HTTP Method.The docs simply make reference to another endpoint with similar parameters that uses the POST HTTP Method.
That aside , lets debug why you are not getting results.
What HTTP status code is being returned ?
Are there any error messages or diagnostic outputs you can share ?
I can't see where you are setting your session key in the Authorization header.
ie:
request.Authorization = "Splunk 1611a2464777534359db26545612e";

Furthermore , have you checked out our Developer SDKs , they make programming against the Splunk REST API a lot simpler than coding directly at the REST layer where it is easy to make mistakes. There is a C# SDK in a private repository on Github also.

Splunk Employee
Splunk Employee

if it's too big, you might instead run with the search/jobs (not search/jobs/export) endpoint (it takes POST with the same parameters), maybe using the exec_mode=blocking. You'll then get back a search id, and then you can page through the results and request them from the server under your control. that's probably the better approach for extremely large result sets that need to be chunked.

0 Karma

Engager

Ahh right. Good catch!

...
string vars = String.Format("output_mode=json&search=search%20192.1.1.1");
string url = "https://1.1.1.1:8089/servicesNS/admin/MyApp/search/jobs/export?" + vars;
using (WebResponse response = request.GetResponse())
{
using (Stream stream = response.GetResponseStream())
{
StreamReader reader = new StreamReader(stream);
responseText = reader.ReadToEnd();
}
}

The request now is sent but in trying to retrieve the response, the data is huge. Trying to break it up into chunks of data to display in a table. Thanks for your help!

0 Karma

Splunk Employee
Splunk Employee

I also don't see anywhere where the string vars is attached to the request object (or appended to the URL)

Engager

As an FYI, long ago I used the POST which I had no problems with. I'm assuming during an upgrade that the endpoint functionality changed from POST to GET.

0 Karma

Engager

string url = "https://1.1.1.1:8089/servicesNS/admin/MyApp/search/jobs/export/";

HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);

req.Credentials = new NetworkCredential(user, pw);

ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };

request.Method = "GET";

string vars = String.Format("output_mode=json&search=search%20192.1.1.1");

using (WebResponse response = request.GetResponse()){..}
...

When I run this code, an exception occurs at 'using (WebResponse response = request.GetResponse())'- 400 error bad request.

0 Karma

Splunk Employee
Splunk Employee

As indicated in the docs, this endpoint expects a GET, not a POST.

View solution in original post

Splunk Employee
Splunk Employee

It does not say it is identical to a POST. It says it takes the same parameters as a POST to a different endpoint.

Engager

It says it is identical to POST, so if I change it to a GET there are still no results returned.

0 Karma