Splunk Search

What is wrong with this curl command and what does this output mean?

zackh123
Path Finder

All URLs and such have been modified for privacy.

Can anyone tell me what is happening here? I'm trying to search for "My Search" on a remote splunk server in which it's URL is splunk.website.cc. There is no https:// in front of it. If you try to load https://splunk.website.cc in your normal web browser it will fail.

Here is the command I am sending through CLI using Rest API

curl -k -3 -vvv -u admin:pass -d "search=savedsearch %22My%20Search%22" -d "output_mode=csv" splunk.website.cc:80/servicesNS/admin/search/search/jobs/export

I am using port 80 because that is the port that the server connects to. If I use port 8089, it times out trying to connect to the server.

When I run the above command, I get this output in my CLI...

* About to connect() to splunk.website.cc port 80 (#0)
*   Trying 1.1.1.1... connected
* Server auth using Basic with user 'admin'
> POST /servicesNS/admin/search/search/jobs/export HTTP/1.0
> Authorization: Basic cmFzY2FsOnphY2twYXNzd29yZA==
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: splunk.website.cc
> Accept: */*
> Content-Length: 51
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 51out of 51 bytes
< HTTP/1.1 303 See Other
< Date: Tue, 23 Oct 2012 18:45:20 GMT
< Server: CherryPy/3.1.2
< Content-Length: 194
< Content-Type: text/html;charset=utf-8
< Location: http://splunk.website.cc/en-US/servicesNS/admin/search/search/jobs/export
< Set-Cookie: session_id_8000=f2d959814502146df5c678e29f8043ccc4bdf1a4; expires=Wed, 24 Oct 2012 18:45:20 GMT; httponly; Path=/
< Connection: close
< 
* Closing connection #0

Can anyone please explain what this output means and or what I can do to correct it? It's obviously not an output of data from "My Search" Any response would be appreciated!

0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

Specifically to answer your question about the output from curl, it says "303, the thing you want is over there". It's referring you to a localized version of the URL you asked for, to show it to you in English, with a US (en-US) locale. An ordinary browser would follow that up and go ask for that URL as a GET (and probably then get a 404).

View solution in original post

sowings
Splunk Employee
Splunk Employee

Specifically to answer your question about the output from curl, it says "303, the thing you want is over there". It's referring you to a localized version of the URL you asked for, to show it to you in English, with a US (en-US) locale. An ordinary browser would follow that up and go ask for that URL as a GET (and probably then get a 404).

zackh123
Path Finder

Thanks for the answer. And I apologize for the bombardment of questions that I am asking and there will probably be more to come. I'm very new to Splunk, Splunk CLI, and Rest API. But when assigned something at my place of work, you have to do it! I appreciate the patience of all of you guys. This seems like a nifty tool! @sowings @Ayn @gkanapathy

0 Karma

sowings
Splunk Employee
Splunk Employee

From what I can see, you're talking to Splunk WEB (CherryPy) on port 80 over HTTP, not the splunk daemon itself, which would be servicing your REST call. Try using the server's hostname, port 8089 (default management port) as the host part of your curl statement. You'll need to preface it with https.

gkanapathy
Splunk Employee
Splunk Employee

This looks to me like the same problem. You're still connecting to the wrong port (and getting an error both times, so stop doing that) and when you use the right port, you're getting blocked, most probably by a firewall.

Ayn
Legend

OK - the issue is the same though. You need to access port 8089.

0 Karma

sowings
Splunk Employee
Splunk Employee

It's a successful connection, yes, but you're talking to the webserver, not splunkd. Based upon your comment about connecting to port 8089, it sounds like there's a firewall in the way.

0 Karma

zackh123
Path Finder

Thanks for the help @Ayn but this is different output as I am actually POSTing back to the server with some sort of data I collected. The last question was asking for information about an error. This question is asking for information on output to what seems to be a successful connection to the server.

0 Karma

Ayn
Legend

I don't see how this question is just another big déjà vu of http://splunk-base.splunk.com/answers/62852/curl-35-error-rest-api - why are you asking the same question twice? And why did you accept the original answer if you haven't resolved your issue?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

if it times out, then it's most likely because you have a firewall or something else blocking it.

0 Karma

zackh123
Path Finder

If I use that url, it times out trying to connect.

  • About to connect() to splunk.website.cc port 8089 (#0)
  • Trying 1.1.1.1... Connection timed out
  • couldn't connect to host
  • Closing connection #0 curl: (7) couldn't connect to host
0 Karma

sowings
Splunk Employee
Splunk Employee

I was assuming you had obfuscated it. An example might be curl ... https://splunk.website.cc:8089/servicesNS/admin/search/search/jobs/export ...

0 Karma

zackh123
Path Finder

Where would I find my server's hostname? I though it was splunk.website.cc

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...