Here is a basic "How To" for searching via the API.
For example, let's say I want to search my localhost for a saved search called mysavedsearch.
Notes: you must use the splunkd port over SSL; you will need to use curl or a similar tool; you should use a search that doesn't need special escaping;
Part 1: Run the following Curl command
curl -u 'admin' https://localhost:8089/services/search/jobs -d"search=| savedsearch mysavedsearch"
This should return a job id similar to this: 1289517421.3076
Part 2: Query the JOB id to check the status:
curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076
You will need to make sure the isDone parameter is "1". That means your search is done.
Part 3: Query for the results of your job id:
curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076/results -d"output_mode=csv"
One very important thing to mention is that you need to correctly encode your string when you are using the rest API.
For example searching for the savedsearch "Errors in the last 24 hours" will not work, as the rest API will not recognize this correctly. Make sure you use an encoder like http://meyerweb.com/eric/tools/dencoder/ for example to encode the saved search correctly. This will be understood by the rest api "search=savedsearch %22Errors%20in%20the%20last%2024%20hours%22"
How to check in curl if isDone is set to 1 or my search is completed? I'm getting the below message and I hope it is because my search is not completed
The below command fails 19/20 times with the FATAL error message
curl -s -k -u 'XXX:XXX' -o - https://splunkserver:8089/services/search/jobs/$SID/results --get -d output_mode=csv <msg type="FATAL">The search job terminated unexpectedly.</msg>
Examples using curl:
To Post the search:
curl -k -u admin:changeme -d "search=savedsearch %22Errors%20in%20the%20last%2024%20hours%22" https://bigmac:8089/services/search/jobs/
The above runs a saved search called "Errors in the last 24 hours" for example. Bigmac is my hostaname. This returns the job id.
<?xml version='1.0' encoding='UTF-8'?> <response><sid>1288399648.45</sid></response>
Then you need to copy the sid and run the following to get the results:
curl -k -u admin:changeme "https://bigmac:8089/services/search/jobs/1288398817.43/results?output_mode=csv"
Note the above is my sid, and you need to get the correct one for your search.
How can I search a specific index via the API using curl? When I try to use
curl -u user:pass -k -d 'search=search index="indexname" OR curl -u user:pass -k -d 'search=search index="indexname"
I get results but the following messages returned...
No Matching index found for 'index=indexname'
No mmatching index found for index::indexname
Any help would be appreciated..
A few new examples...
$ curl -u admin:changeit -k https://localhost:8089/services/search/jobs -d search="search index=_internal" <?xml version="1.0" encoding="UTF-8"?> <response> <sid>1520569635.358</sid> </response>
$ curl -G -u admin:changeit -k https://localhost:8089/services/search/jobs/1520569635.358/results -d output_mode=csv
$ curl -u admin:changeit -k https://localhost:8089/services/search/jobs/export -d output_mode=csv -d search="search index=_internal |head 10"
Getting authentication token:
$ curl -k https://localhost:8089/services/auth/login --data-urlencode username=admin --data-urlencode password=changeit <response> <sessionKey>lTsi0Gyhadou77kplKboa8_4DBsMbRB1gpu6sCEvIXIFotnMqNLOJyXQgCLdwM^uhDSRgxpfg_dG0gSbtRIkObpkWrbF2TisTo</sessionKey> </response>
Running synchronous search with authentication token:
$ curl -k -H "Authorization: Splunk lTsi0Gyhadou77kplKboa8_4DBsMbRB1gpu6sCEvIXIFotnMqNLOJyXQgCLdwM^uhDSRgxpfg_dG0gSbtRIkObpkWrbF2TisTo" \ https://localhost:8089/services/search/jobs/export \ -d output_mode=csv \ -d search="search index=_internal |head 10"