Solved: How can I run searches against the Splunk API?

Simeon · ‎11-12-2010

I want to run searches against the Splunk API. How can I do this?

Simeon · ‎11-12-2010

Here is a basic "How To" for searching via the API.

Overview:

Send your query
Check the Job ID for being done
Get the result set based on the Job ID

For example, let's say I want to search my localhost for a saved search called mysavedsearch.

Notes: you must use the splunkd port over SSL; you will need to use curl or a similar tool; you should use a search that doesn't need special escaping;

Part 1: Run the following Curl command

curl -u 'admin' https://localhost:8089/services/search/jobs -d"search=| savedsearch mysavedsearch"

This should return a job id similar to this: 1289517421.3076

Part 2: Query the JOB id to check the status:

curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076

You will need to make sure the isDone parameter is "1". That means your search is done.

Part 3: Query for the results of your job id:

curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076/results -d"output_mode=csv"

View solution in original post

my2ndhead · ‎03-08-2018

A few new examples...

Asynchronous search:

$ curl -u admin:changeit -k https://localhost:8089/services/search/jobs -d search="search index=_internal"
    <?xml version="1.0" encoding="UTF-8"?>
    <response>
      <sid>1520569635.358</sid>
    </response>

Fetching results:

$ curl -G -u admin:changeit -k https://localhost:8089/services/search/jobs/1520569635.358/results -d output_mode=csv

Synchronous search:

$ curl -u admin:changeit -k https://localhost:8089/services/search/jobs/export -d output_mode=csv  -d search="search index=_internal |head 10"

Getting authentication token:

$ curl -k https://localhost:8089/services/auth/login --data-urlencode username=admin --data-urlencode password=changeit
<response>
  <sessionKey>lTsi0Gyhadou77kplKboa8_4DBsMbRB1gpu6sCEvIXIFotnMqNLOJyXQgCLdwM^uhDSRgxpfg_dG0gSbtRIkObpkWrbF2TisTo</sessionKey>
</response>

Running synchronous search with authentication token:

$ curl -k -H "Authorization: Splunk lTsi0Gyhadou77kplKboa8_4DBsMbRB1gpu6sCEvIXIFotnMqNLOJyXQgCLdwM^uhDSRgxpfg_dG0gSbtRIkObpkWrbF2TisTo" \
https://localhost:8089/services/search/jobs/export \
-d output_mode=csv  \
-d search="search index=_internal |head 10"

msmapper · ‎02-03-2012

How can I search a specific index via the API using curl? When I try to use
curl -u user:pass -k -d 'search=search index="indexname" OR curl -u user:pass -k -d 'search=search index="indexname"

I get results but the following messages returned...
No Matching index found for 'index=indexname'
No mmatching index found for index::indexname

Any help would be appreciated..

Genti · ‎11-12-2010

Examples using curl:
To Post the search:

curl -k -u admin:changeme -d "search=savedsearch %22Errors%20in%20the%20last%2024%20hours%22" https://bigmac:8089/services/search/jobs/

The above runs a saved search called "Errors in the last 24 hours" for example. Bigmac is my hostaname. This returns the job id.

<?xml version='1.0' encoding='UTF-8'?>
<response><sid>1288399648.45</sid></response>

Then you need to copy the sid and run the following to get the results:

curl -k -u admin:changeme "https://bigmac:8089/services/search/jobs/1288398817.43/results?output_mode=csv"

Note the above is my sid, and you need to get the correct one for your search.

Simeon · ‎11-12-2010

Here is a basic "How To" for searching via the API.

Overview:

Send your query
Check the Job ID for being done
Get the result set based on the Job ID

For example, let's say I want to search my localhost for a saved search called mysavedsearch.

Notes: you must use the splunkd port over SSL; you will need to use curl or a similar tool; you should use a search that doesn't need special escaping;

Part 1: Run the following Curl command

curl -u 'admin' https://localhost:8089/services/search/jobs -d"search=| savedsearch mysavedsearch"

This should return a job id similar to this: 1289517421.3076

Part 2: Query the JOB id to check the status:

curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076

You will need to make sure the isDone parameter is "1". That means your search is done.

Part 3: Query for the results of your job id:

curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076/results -d"output_mode=csv"

Ravimrawi · ‎05-04-2016

How to check in curl if isDone is set to 1 or my search is completed? I'm getting the below message and I hope it is because my search is not completed

The below command fails 19/20 times with the FATAL error message

curl -s -k -u 'XXX:XXX' -o - https://splunkserver:8089/services/search/jobs/$SID/results --get -d output_mode=csv 


<msg type="FATAL">The search job terminated unexpectedly.</msg>

Genti · ‎11-12-2010

One very important thing to mention is that you need to correctly encode your string when you are using the rest API.
For example searching for the savedsearch "Errors in the last 24 hours" will not work, as the rest API will not recognize this correctly. Make sure you use an encoder like http://meyerweb.com/eric/tools/dencoder/ for example to encode the saved search correctly. This will be understood by the rest api "search=savedsearch %22Errors%20in%20the%20last%2024%20hours%22"

Genti · ‎11-12-2010

whops, you answered it yourself...

How can I run searches against the Splunk API?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!