How to call Splunk API using Postman?

kranthimutyala2 · ‎04-03-2024

curl -k -u svc_aas -d search="search index=aas sourcetype=syslog" https://splunk-prod-api.internal.xxxx.com/services/search/jobs
I want to run this using Postman can someone help me frame the Postman queries to search and retrieve Splunk logs

PickleRick · ‎04-06-2024

The main question is whether you don't know how to use API to perform searches in which case you should star with https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog or whether you don't know how to use podman correctly - this is out of scope of this forum but maybe someone with experience with this tool can give a hint or two.

marnall · ‎04-05-2024

There are different REST endpoints for Splunk to start or retrieve searches. Some will start a search and return a search ID, others will retrieve results from a previous search job.

Probably the most straightforward is the /jobs/export one, which starts a job and returns results, though this will take time for the started search to complete. An example request for this endpoint would be:

curl -k -u <user_in_splunk> https://<yoursplunkhost>:8089/services/search/v2/jobs/export -d search="<yoursplsearch>"

E.g.

curl -k -u svc_aas -d search="search index=aas sourcetype=syslog" https://splunk-prod-api.internal.xxxx.com:8089/services/search/v2/jobs/export

Note that this curl request will request a password for the splunk user. There may be functionality in postman to supply this password.

How to call Splunk API using Postman?

metadata

stats

subsearch

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!