REST search issue using Postman

gartnerj · ‎04-25-2019

I have the authorization done, and when I do the POST to do a search I keep getting the error:
(note AAAA and bbb, nnnnnn are the correct host and logpath values in my actual search)

<messages>
        <msg type="DEBUG">Configuration initialization for /var/splunkhot/splunk/etc took 143ms when dispatching a search (search ID: 1556216277.24597_33CF52FC-F282-491A-875E-F8EC1EB01F4C)</msg>
        <msg type="DEBUG">Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.</msg>
        <msg type="DEBUG">base lispy: [ AND host::AAAAAAA source::/app/jboss/bbbb/log/server.log ]</msg>
        <msg type="DEBUG">search context: user="nnnnnnnn", app="search", bs-pathname="/var/splunkhot/splunk/etc"</msg>
    </messages>

The actual search I have in the body is this )

 search=search+host%3DAAAAAA+source%3D%2Fapp%2Fjboss%2Fbbbbb%2Flog%2Fserver.log+%7C+search+ERROR+earliest%3D-4h

I've tried a bunch of different variations, but I am always getting th EVAL-url Length error.
I even did JUST

search=search+host%3DAAAAAA

and still got the error!

Any ideas here on how to format the search correctly to get this to run without that error? I can run the search directly in SPLUNK so it does in fact work.

REST search issue using Postman

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

REST search issue using Postman

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0