Hi Team,
I am trying to run a search and get the searchId, I will use this searchId later to fetch the results.
curl --location --request POST 'https://splunkcloud.com:<port>/services/search/jobs?output_mode=json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer JWT' \
--data-raw 'search=search |rest /servicesNS/-/-/saved/searches/ splunk_server=local | rename eai:* as * | rename acl.* as *|search app=*| table triggered_alert_count, title
I am getting the SID and doing get
https://splunkcloud.com:<port>/services/search/jobs/<SID>/results?output_mode=json
I am getting the error as below
{
"messages": [
{
"type": "FATAL",
"text": "Error in 'rest' command: This command must be the first command of a search."
}
]
}
This works fine for normal searches, but not for searches thats starts with |rest. Let me know why rest is not taking | even after adding it.
What are you trying to do? Use a REST call to create a | rest search? Kinda pointless. Why don't you call the proper REST endpoint directly?
Hi
this should work
curl -ku <user:pass> https://localhost:8089/services/search/jobs/ -d search="|rest /servicesNS/-/-/saved/searches/ splunk_server=local | rename eai:* as * | rename acl.* as *|search app=*| table triggered_alert_count, title"
curl -ku <user:pass> https://localhost:8089/servicesNS/admin/search/search/jobs/1650521075.4791/results/ --get -d output_mode=json
Just switch user, pass and localhost to the correct values. If/when there is official TLS cert in place, then you don't need -k on curl.
r. Ismo
Try the search without the "search" keyword.
ie.
'search=|rest /servicesNS/-/-/saved/searches/ splunk_server=local ...