Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is | rest command not returning any data where...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is | rest command not returning any data where CURL works?
Good morning fellow Splunkthiasts!
I am trying to build some dashboard using Splunk REST, unfortunately I can not get the data from certain endpoints when using | rest SPL command, while CURL approach returns what is expected.
To be specific, I want to read /services/search/jobs/<SID>/summary endpoint. Following SPL returns 0 results:
| rest /services/search/jobs/1648543133.8/summary
When called externally, the endpoint works as expected:
[2022-03-29 10:46:25] root@splunk1.lab2.local:~# curl -k -u admin:pass https://localhost:8089/services/search/jobs/1648543133.8/summary --get | head
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15578 100 15578 0 0 661k 0 --:--:-- --:--:-- --:--:-- 661k
<?xml version='1.0' encoding='UTF-8'?>
<results preview='0'>
<meta>
<fieldOrder>
<field>_bkt</field>
<field>_cd</field>
<field>_eventtype_color</field>
<field>_indextime</field>
<field>_kv</field>
<field>_raw</field>
The same happens with /services/search/jobs/<SID>/results and /services/search/jobs/<SID>/events.
When I call /services/search/jobs/ or /services/search/jobs/<SID>, data is returned by both SPL and CURL. I tried this on several Splunk instances with versions ranging from 8.2.3 back to 7.3.3, always using account with admin role - the behavior is always exactly the same.
Any hints what I might be missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@eregon , @MKozanic - These endpoints that you mentioned definitely don't work with SPL command, I can confirm that.
Now, this could be a bug or intentionally not implemented stuff. I'm not sure. But you can do some of these with other SPL functionalities.
Like, you could fetch the results with loadjob command.
| loadjob 1655385534.107304
I would suggest you to change your direction of search. Whatever data you want try to see if there is a separate SPL command to get it.
References:
- https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commandsbycategory
- https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Loadjob
- And Splunk Answers
I hope this helps!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@eregon ,
Did you figure this one out? I'm having the same issue with one of the instances I look after.
Can curl OK - but get nothing when trying to run | rest command from SPL.
Have not seen this issue before - haven't been able to determine the cause as yet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MKozanic , unfortunately not yet. I got some hints from Splunk expert at .conf, so I'll try and see.
However, you mention you have this issue on one of your instances - does that mean you have some instances where | rest works as expected?
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
