Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk API Script Help

qcjacobo2577
Path Finder
‎11-16-2023 11:50 AM

All,

Leveraging the following article (https://community.splunk.com/t5/Other-Usage/How-to-export-reports-using-the-REST-API/m-p/640406/high...) I was able to successfully manipulate the script to:

1. Run using an API token (as opposed to credentials).

2. Get it to run a search I am interested in returning data from.

I am however running into an error with my search (shown below).

 

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Unparsable URI-encoded request data</msg>
  </messages>
</response>

 

 The script itself now looks like this (I have removed the token and obscured the Splunk endpoint for obvious reasons.

 

#!/bin/bash
# A simple bash script example of how to get notable events details from REST API

# EXECUTE search and retrieve SID
SID=$(curl -H "Authorization: Bearer <token ID here>" -k https://host.domain.com:8089/services/search/jobs -d search=" search index=index sourcetype="sourcetype" source="source" [ search index="index" sourcetype="sourcetype" source="source" deleted_at="null" | rename uuid AS host_uuid | stats count by host_uuid | fields host_uuid ] | rename data.id AS Data_ID host_uuid AS Host_ID port AS Network_Port | mvexpand data.xrefs{}.type | strcat Host_ID : Data_ID : Network_Port Custom_ID_1 | strcat Host_ID : Data_ID Custom_ID_2 | stats latest(*) as * by Custom_ID_1 | search state!="fixed" | search category!="informational" | eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S")" <removed some of the search for brevity> \
| grep "sid" | awk -F\> '{print $2}' | awk -F\< '{print $1}')
echo "SID=${SID}"

Omitted the remaining portion of the script for brevity....

 

 

It is at this point shown in brackets (| eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S") that I am getting the error in question.

The search returns fine up to the point where I am converting time ---- I tried escaping using "\", but that did not seem to help. I am sure I am missing something simple and looking for some help.

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-16-2023 10:17 PM

Use the --data-urlencode option instead of -d (--data)

curl -H "Authorization: Bearer <token ID here>" -k https://host.domain.com:8089/services/search/jobs --data-urlencode search='<your search term>'

One more thing: SPL uses lots of double quotes.  Quote your search with single quotes saves you lots of escapes.

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-16-2023 10:17 PM

Use the --data-urlencode option instead of -d (--data)

curl -H "Authorization: Bearer <token ID here>" -k https://host.domain.com:8089/services/search/jobs --data-urlencode search='<your search term>'

One more thing: SPL uses lots of double quotes.  Quote your search with single quotes saves you lots of escapes.

Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...