Splunk Search
Highlighted

How can I run searches against the Splunk API?

Splunk Employee
Splunk Employee

I want to run searches against the Splunk API. How can I do this?

Highlighted

Re: How can I run searches against the Splunk API?

Splunk Employee
Splunk Employee

Here is a basic "How To" for searching via the API.

Overview:

  1. Send your query
  2. Check the Job ID for being done
  3. Get the result set based on the Job ID

For example, let's say I want to search my localhost for a saved search called mysavedsearch.

Notes: you must use the splunkd port over SSL; you will need to use curl or a similar tool; you should use a search that doesn't need special escaping;

Part 1: Run the following Curl command

curl -u 'admin' https://localhost:8089/services/search/jobs -d"search=| savedsearch mysavedsearch"

This should return a job id similar to this: 1289517421.3076

Part 2: Query the JOB id to check the status:

curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076

You will need to make sure the isDone parameter is "1". That means your search is done.

Part 3: Query for the results of your job id:

curl -u 'admin' https://localhost:8089/services/search/jobs/1289517421.3076/results -d"output_mode=csv"

View solution in original post

Highlighted

Re: How can I run searches against the Splunk API?

Splunk Employee
Splunk Employee

whops, you answered it yourself...

Highlighted

Re: How can I run searches against the Splunk API?

Splunk Employee
Splunk Employee

One very important thing to mention is that you need to correctly encode your string when you are using the rest API.
For example searching for the savedsearch "Errors in the last 24 hours" will not work, as the rest API will not recognize this correctly. Make sure you use an encoder like http://meyerweb.com/eric/tools/dencoder/ for example to encode the saved search correctly. This will be understood by the rest api "search=savedsearch %22Errors%20in%20the%20last%2024%20hours%22"

0 Karma
Highlighted

Re: How can I run searches against the Splunk API?

New Member

How to check in curl if isDone is set to 1 or my search is completed? I'm getting the below message and I hope it is because my search is not completed

The below command fails 19/20 times with the FATAL error message

curl -s -k -u 'XXX:XXX' -o - https://splunkserver:8089/services/search/jobs/$SID/results --get -d output_mode=csv 


<msg type="FATAL">The search job terminated unexpectedly.</msg>
0 Karma
Highlighted

Re: How can I run searches against the Splunk API?

Splunk Employee
Splunk Employee

Examples using curl:
To Post the search:

curl -k -u admin:changeme -d "search=savedsearch %22Errors%20in%20the%20last%2024%20hours%22" https://bigmac:8089/services/search/jobs/

The above runs a saved search called "Errors in the last 24 hours" for example. Bigmac is my hostaname. This returns the job id.

<?xml version='1.0' encoding='UTF-8'?>
<response><sid>1288399648.45</sid></response>

Then you need to copy the sid and run the following to get the results:

curl -k -u admin:changeme "https://bigmac:8089/services/search/jobs/1288398817.43/results?output_mode=csv"

Note the above is my sid, and you need to get the correct one for your search.

Highlighted

Re: How can I run searches against the Splunk API?

Path Finder

How can I search a specific index via the API using curl? When I try to use
curl -u user:pass -k -d 'search=search index="indexname" OR curl -u user:pass -k -d 'search=search index="indexname"

I get results but the following messages returned...
No Matching index found for 'index=indexname'
No mmatching index found for index::indexname

Any help would be appreciated..

0 Karma
Highlighted

Re: How can I run searches against the Splunk API?

SplunkTrust
SplunkTrust

A few new examples...

Asynchronous search:

$ curl -u admin:changeit -k https://localhost:8089/services/search/jobs -d search="search index=_internal"
    <?xml version="1.0" encoding="UTF-8"?>
    <response>
      <sid>1520569635.358</sid>
    </response>

Fetching results:

$ curl -G -u admin:changeit -k https://localhost:8089/services/search/jobs/1520569635.358/results -d output_mode=csv    

Synchronous search:

$ curl -u admin:changeit -k https://localhost:8089/services/search/jobs/export -d output_mode=csv  -d search="search index=_internal |head 10"

Getting authentication token:

$ curl -k https://localhost:8089/services/auth/login --data-urlencode username=admin --data-urlencode password=changeit
<response>
  <sessionKey>lTsi0Gyhadou77kplKboa8_4DBsMbRB1gpu6sCEvIXIFotnMqNLOJyXQgCLdwM^uhDSRgxpfg_dG0gSbtRIkObpkWrbF2TisTo</sessionKey>
</response>

Running synchronous search with authentication token:

$ curl -k -H "Authorization: Splunk lTsi0Gyhadou77kplKboa8_4DBsMbRB1gpu6sCEvIXIFotnMqNLOJyXQgCLdwM^uhDSRgxpfg_dG0gSbtRIkObpkWrbF2TisTo" \
https://localhost:8089/services/search/jobs/export \
-d output_mode=csv  \
-d search="search index=_internal |head 10"