Splunk Search

How can I run searches against the Splunk API?

Simeon
Splunk Employee
Splunk Employee

I want to run searches against the Splunk API. How can I do this?

1 Solution

Simeon
Splunk Employee
Splunk Employee

Here is a basic "How To" for searching via the API.

Overview:

  1. Send your query
  2. Check the Job ID for being done
  3. Get the result set based on the Job ID

For example, let's say I want to search my localhost for a saved search called mysavedsearch.

Notes: you must use the splunkd port over SSL; you will need to use curl or a similar tool; you should use a search that doesn't need special escaping;

Part 1: Run the following Curl command

curl -u 'admin' https://localhost:8089/services/search/jobs -d"search=| savedsearch mysavedsearch"

This should return a job id similar to this: 1289517421.3076

Part 2: Query the JOB id to check the status:

curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076

You will need to make sure the isDone parameter is "1". That means your search is done.

Part 3: Query for the results of your job id:

curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076/results -d"output_mode=csv"

View solution in original post

my2ndhead
SplunkTrust
SplunkTrust

A few new examples...

Asynchronous search:

$ curl -u admin:changeit -k https://localhost:8089/services/search/jobs -d search="search index=_internal"
    <?xml version="1.0" encoding="UTF-8"?>
    <response>
      <sid>1520569635.358</sid>
    </response>

Fetching results:

$ curl -G -u admin:changeit -k https://localhost:8089/services/search/jobs/1520569635.358/results -d output_mode=csv    

Synchronous search:

$ curl -u admin:changeit -k https://localhost:8089/services/search/jobs/export -d output_mode=csv  -d search="search index=_internal |head 10"

Getting authentication token:

$ curl -k https://localhost:8089/services/auth/login --data-urlencode username=admin --data-urlencode password=changeit
<response>
  <sessionKey>lTsi0Gyhadou77kplKboa8_4DBsMbRB1gpu6sCEvIXIFotnMqNLOJyXQgCLdwM^uhDSRgxpfg_dG0gSbtRIkObpkWrbF2TisTo</sessionKey>
</response>

Running synchronous search with authentication token:

$ curl -k -H "Authorization: Splunk lTsi0Gyhadou77kplKboa8_4DBsMbRB1gpu6sCEvIXIFotnMqNLOJyXQgCLdwM^uhDSRgxpfg_dG0gSbtRIkObpkWrbF2TisTo" \
https://localhost:8089/services/search/jobs/export \
-d output_mode=csv  \
-d search="search index=_internal |head 10"

msmapper
Path Finder

How can I search a specific index via the API using curl? When I try to use
curl -u user:pass -k -d 'search=search index="indexname" OR curl -u user:pass -k -d 'search=search index="indexname"

I get results but the following messages returned...
No Matching index found for 'index=indexname'
No mmatching index found for index::indexname

Any help would be appreciated..

0 Karma

Genti
Splunk Employee
Splunk Employee

Examples using curl:
To Post the search:

curl -k -u admin:changeme -d "search=savedsearch %22Errors%20in%20the%20last%2024%20hours%22" https://bigmac:8089/services/search/jobs/

The above runs a saved search called "Errors in the last 24 hours" for example. Bigmac is my hostaname. This returns the job id.

<?xml version='1.0' encoding='UTF-8'?>
<response><sid>1288399648.45</sid></response>

Then you need to copy the sid and run the following to get the results:

curl -k -u admin:changeme "https://bigmac:8089/services/search/jobs/1288398817.43/results?output_mode=csv"

Note the above is my sid, and you need to get the correct one for your search.

Simeon
Splunk Employee
Splunk Employee

Here is a basic "How To" for searching via the API.

Overview:

  1. Send your query
  2. Check the Job ID for being done
  3. Get the result set based on the Job ID

For example, let's say I want to search my localhost for a saved search called mysavedsearch.

Notes: you must use the splunkd port over SSL; you will need to use curl or a similar tool; you should use a search that doesn't need special escaping;

Part 1: Run the following Curl command

curl -u 'admin' https://localhost:8089/services/search/jobs -d"search=| savedsearch mysavedsearch"

This should return a job id similar to this: 1289517421.3076

Part 2: Query the JOB id to check the status:

curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076

You will need to make sure the isDone parameter is "1". That means your search is done.

Part 3: Query for the results of your job id:

curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076/results -d"output_mode=csv"

Ravimrawi
New Member

How to check in curl if isDone is set to 1 or my search is completed? I'm getting the below message and I hope it is because my search is not completed

The below command fails 19/20 times with the FATAL error message

curl -s -k -u 'XXX:XXX' -o - https://splunkserver:8089/services/search/jobs/$SID/results --get -d output_mode=csv 


<msg type="FATAL">The search job terminated unexpectedly.</msg>
0 Karma

Genti
Splunk Employee
Splunk Employee

One very important thing to mention is that you need to correctly encode your string when you are using the rest API.
For example searching for the savedsearch "Errors in the last 24 hours" will not work, as the rest API will not recognize this correctly. Make sure you use an encoder like http://meyerweb.com/eric/tools/dencoder/ for example to encode the saved search correctly. This will be understood by the rest api "search=savedsearch %22Errors%20in%20the%20last%2024%20hours%22"

0 Karma

Genti
Splunk Employee
Splunk Employee

whops, you answered it yourself...

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...