Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk API Script Help

qcjacobo2577
Path Finder
‎11-16-2023 11:50 AM

All,

Leveraging the following article (https://community.splunk.com/t5/Other-Usage/How-to-export-reports-using-the-REST-API/m-p/640406/high...) I was able to successfully manipulate the script to:

1. Run using an API token (as opposed to credentials).

2. Get it to run a search I am interested in returning data from.

I am however running into an error with my search (shown below).

 

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Unparsable URI-encoded request data</msg>
  </messages>
</response>

 

 The script itself now looks like this (I have removed the token and obscured the Splunk endpoint for obvious reasons.

 

#!/bin/bash
# A simple bash script example of how to get notable events details from REST API

# EXECUTE search and retrieve SID
SID=$(curl -H "Authorization: Bearer <token ID here>" -k https://host.domain.com:8089/services/search/jobs -d search=" search index=index sourcetype="sourcetype" source="source" [ search index="index" sourcetype="sourcetype" source="source" deleted_at="null" | rename uuid AS host_uuid | stats count by host_uuid | fields host_uuid ] | rename data.id AS Data_ID host_uuid AS Host_ID port AS Network_Port | mvexpand data.xrefs{}.type | strcat Host_ID : Data_ID : Network_Port Custom_ID_1 | strcat Host_ID : Data_ID Custom_ID_2 | stats latest(*) as * by Custom_ID_1 | search state!="fixed" | search category!="informational" | eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S")" <removed some of the search for brevity> \
| grep "sid" | awk -F\> '{print $2}' | awk -F\< '{print $1}')
echo "SID=${SID}"

Omitted the remaining portion of the script for brevity....

 

 

It is at this point shown in brackets (| eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S") that I am getting the error in question.

The search returns fine up to the point where I am converting time ---- I tried escaping using "\", but that did not seem to help. I am sure I am missing something simple and looking for some help.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-16-2023 10:17 PM

Use the --data-urlencode option instead of -d (--data)

curl -H "Authorization: Bearer <token ID here>" -k https://host.domain.com:8089/services/search/jobs --data-urlencode search='<your search term>'

One more thing: SPL uses lots of double quotes.  Quote your search with single quotes saves you lots of escapes.

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-16-2023 10:17 PM

Use the --data-urlencode option instead of -d (--data)

curl -H "Authorization: Bearer <token ID here>" -k https://host.domain.com:8089/services/search/jobs --data-urlencode search='<your search term>'

One more thing: SPL uses lots of double quotes.  Quote your search with single quotes saves you lots of escapes.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...