Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Run DBX query via REST API

mxanareckless
Path Finder
‎01-18-2021 03:51 PM

I've checked this, but it hasn't solved the problem for me: https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-run-a-curl-command-on-a-dbxquery/m...

This is my curl request:

 

 

curl -u username:password -k https://192.168.xx.xxx:xxxx/services/search/jobs -d search=" | dbxquery query=\"select (select sum(bytes) from dba_data_files)+(select sum(bytes) from dba_temp_files)-(select sum(bytes) from dba_free_space) total_size from dual\" connection=\"XXX\""

 

 

And I get an SID back:

 

 

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <sid>1611013146.153172</sid>
</response>

 

 

 However when I try fetching the results, I get nothing back:

 

 

[user.name@host ~]$ curl -u username:password -k https://192.168.xx.xxx:xxxx/services/search/jobs/1611013146.153172/results/ --get -d output_mode=csv
[user.name@host ~]$

 

 

I've tried waiting a few minutes in between fetch attempts, still nothing. This same query works find and returns a result immediately when run from the DBX UI:

spk-cb-cxn2.PNG

 

 

 

 

 

 

Is there something I'm missing here in order to get the result via the REST API? Thanks.

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-19-2021 05:56 AM

Hi @mxanareckless,

You can try with export endpoint;

curl -u username:password -k https://192.168.xx.xxx:xxxx/services/search/jobs/export --data-urlencode search=' | dbxquery query=\"select (select sum(bytes) from dba_data_files)+(select sum(bytes) from dba_temp_files)-(select sum(bytes) from dba_free_space) total_size from dual\" connection=\"XXX\"'

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.
Reply

mxanareckless
Path Finder
‎01-19-2021 09:25 AM

@scelikok  Thank you; but still nothing is being returned after trying for 10 minutes, until eventually an error "Unknown SID" is returned:

[user.name@host ~]$ curl -u username:password -k https://192.168.xx.xxx:xxxx/services/search/jobs/export --data-urlencode search=' | dbxquery query=\"select (select sum(bytes) from dba_data_files)+(select sum(bytes) from dba_temp_files)-(select sum(bytes) from dba_free_space) total_size from dual\" connection=\"xxx\"'
<?xml version='1.0' encoding='UTF-8'?>
<results preview='0'>
<meta>
<fieldOrder />
</meta>
<messages>
  <msg type="DEBUG">Configuration initialization for /opt/splunk/etc took 19ms when dispatching a search (search ID: 1611076520.164004)</msg>
  <msg type="DEBUG">The 'dbxquery' command is implemented as an external script and may cause the search to be significantly slower.</msg>
  <msg type="DEBUG">search context: user="username", app="search", bs-pathname="/opt/splunk/etc"</msg>
</messages>

</results>

# Querying for result for 10 minutes, until below occurs:

[user.name@host ~]$ curl -u username:password -k https://192.168.xx.xxx:xxxx/services/search/jobs/1611076520.164004/results/ --get -d output_mode=csv
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="FATAL">Unknown sid.</msg>
  </messages>
</response>

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...