Splunk Search

Splunk API Script Help

qcjacobo2577
Path Finder

All,

Leveraging the following article (https://community.splunk.com/t5/Other-Usage/How-to-export-reports-using-the-REST-API/m-p/640406/high...) I was able to successfully manipulate the script to:

1. Run using an API token (as opposed to credentials).

2. Get it to run a search I am interested in returning data from.

I am however running into an error with my search (shown below).

 

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Unparsable URI-encoded request data</msg>
  </messages>
</response>

 

 The script itself now looks like this (I have removed the token and obscured the Splunk endpoint for obvious reasons.

 

#!/bin/bash
# A simple bash script example of how to get notable events details from REST API

# EXECUTE search and retrieve SID
SID=$(curl -H "Authorization: Bearer <token ID here>" -k https://host.domain.com:8089/services/search/jobs -d search=" search index=index sourcetype="sourcetype" source="source" [ search index="index" sourcetype="sourcetype" source="source" deleted_at="null" | rename uuid AS host_uuid | stats count by host_uuid | fields host_uuid ] | rename data.id AS Data_ID host_uuid AS Host_ID port AS Network_Port | mvexpand data.xrefs{}.type | strcat Host_ID : Data_ID : Network_Port Custom_ID_1 | strcat Host_ID : Data_ID Custom_ID_2 | stats latest(*) as * by Custom_ID_1 | search state!="fixed" | search category!="informational" | eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S")" <removed some of the search for brevity> \
| grep "sid" | awk -F\> '{print $2}' | awk -F\< '{print $1}')
echo "SID=${SID}"

Omitted the remaining portion of the script for brevity....

 

 

It is at this point shown in brackets (| eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S") that I am getting the error in question.

The search returns fine up to the point where I am converting time ---- I tried escaping using "\", but that did not seem to help. I am sure I am missing something simple and looking for some help.

Labels (2)
Tags (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Use the --data-urlencode option instead of -d (--data)

curl -H "Authorization: Bearer <token ID here>" -k https://host.domain.com:8089/services/search/jobs --data-urlencode search='<your search term>'

One more thing: SPL uses lots of double quotes.  Quote your search with single quotes saves you lots of escapes.

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

Use the --data-urlencode option instead of -d (--data)

curl -H "Authorization: Bearer <token ID here>" -k https://host.domain.com:8089/services/search/jobs --data-urlencode search='<your search term>'

One more thing: SPL uses lots of double quotes.  Quote your search with single quotes saves you lots of escapes.

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...