Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I receiving this Error while using the |rest in the splunk rest API?

smaran06
Path Finder
‎04-20-2022 06:29 PM

Hi Team,

I am trying to run a search and get the searchId, I will use this searchId later to fetch the results.

 

 

 

curl --location --request POST 'https://splunkcloud.com:<port>/services/search/jobs?output_mode=json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer JWT' \
--data-raw 'search=search |rest /servicesNS/-/-/saved/searches/ splunk_server=local | rename eai:* as * | rename acl.* as *|search app=*| table triggered_alert_count, title

 

 

 

I am getting the SID and  doing get

 

 

 

https://splunkcloud.com:<port>/services/search/jobs/<SID>/results?output_mode=json

 

 

 

 I am getting the error as below

 

 

 

{
    "messages": [
        {
            "type": "FATAL",
            "text": "Error in 'rest' command: This command must be the first command of a search."
        }
    ]
}

 

 

 

 

 This works fine for normal searches, but not for searches thats starts with |rest. Let me know why rest is not taking | even after adding it.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-20-2022 09:46 PM

What are you trying to do? Use a REST call to create a | rest search? Kinda pointless. Why don't you call the proper  REST endpoint directly?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-20-2022 11:09 PM

Hi

this should work

curl -ku <user:pass> https://localhost:8089/services/search/jobs/ -d search="|rest /servicesNS/-/-/saved/searches/ splunk_server=local | rename eai:* as * | rename acl.* as *|search app=*| table triggered_alert_count, title"
curl -ku <user:pass> https://localhost:8089/servicesNS/admin/search/search/jobs/1650521075.4791/results/ --get -d output_mode=json

Just switch user, pass and localhost to the correct values. If/when there is official TLS cert in place, then you don't need -k on curl.

r. Ismo 

0 Karma
Reply

renjith_nair
Legend
‎04-20-2022 06:55 PM

Try the search without the "search" keyword.

ie.

'search=|rest /servicesNS/-/-/saved/searches/ splunk_server=local ...
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...