In my first post,
I need to search Splunk using the REST API. How do I get the system to actually return me some results?
Steps
- POST a search, example:
search=search index=myIndex earliest=-1d "[nice-keyword]" AND "Nice catch-phrase" | rex field=_raw "reportingSystem\":\s+\"(?<system>\d{3})[\s\S]+operationCode\":\s+\"(?<opcode>\w+)[\s\S]+ticketId\":\s+\"(?<ticket>\d*)[\s\S]+transactionCode\":\s+\"(?<txcode>\w+)[\s\S]+NumericCode\":\s+\"(?<agency>\d*)" | table system, opcode, txcode, agency
- In the SEARCH User Interface, this makes a nice report
- Grab the job search ID.
- Continually GET the job status of the POSTed search until DONE or something else that helps me stop polling.
- Ask for the job results. Get 200 OK but no content.
How does one actually format a search that can provide actual results via the API?
Stumped. For days. I'm using Postman before moving on to my favorite middleware tool.
Thank you.
