Splunk Search

command line search from remote host, with no splunk products installed

DTERM
Contributor

I've created a saved search on an indexer. I set the permissions such that the search is available for all apps. I've given group "everyone" read access to the search.

Now from a remote server, without any Splunk application installed, I want to run a wget against the saved URL. However, I am not able to do so. There are no firewall rules or restrictions between the two systems. The command is

wget http://myhost.mydomain.com:8000/en-US/app/search/%40go?s=hostdf

Here is a snapshot of the wget, and the resulting saved file: (Names were changed to protect the guilty). The command works, the saved search works fine, but I'm not getting the search results. Should I be able to run a saved search from the command line of a remote host that does not have any splunk apps installed? Thanks

root@remotehost:/Users/user/trash wget http://splunk-ind.mydomain.com:8000/en-US/app/search/%40go?s=fo03df

--2012-04-27 10:42:15-- http://splunk-ind.mydomain.com:8000/en-US/app/search/%40go?s=fo03df
Resolving splunk-ind.mydomain.com... 10.167.148.74, fd02:c9e3:a6c0:4705::230
Connecting to splunk-ind.mydomain.com|10.167.148.74|:8000... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://splunk-ind.mydomain.com:8000/en-US/account/login?return_to=%2Fen-US%2Fapp%2Fsearch%2F%2540go%... [following]
--2012-04-27 10:42:15-- http://splunk-ind.mydomain.com:8000/en-US/account/login?return_to=%2Fen-US%2Fapp%2Fsearch%2F%2540go%...
Reusing existing connection to splunk-ind.mydomain.com:8000.
HTTP request sent, awaiting response... 200 OK
Length: 7529 (7.4K) [text/html]
Saving to: `login?return_to=%2Fen-US%2Fapp%2Fsearch%2F%40go?s=fo03df'

100%[==================================================================================================================================>] 7,529 --.-K/s in 0.001s

2012-04-27 10:42:15 (6.42 MB/s) - `login?return_to=%2Fen-US%2Fapp%2Fsearch%2F%40go?s=fo03df' saved [7529/7529]

root@remotehost:/Users/user/trash more login\?return_to=%2Fen-US%2Fapp%2Fsearch%2F%40go\?s=fo03df
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<!-- live to code, code to live... -->

<head>
    <meta http-equiv="X-UA-Compatible" content="IE=7, IE=9, chrome=IE8" />
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <meta http-equiv="content-language" content="en_US" />
    <meta http-equiv="imagetoolbar" content="no" />
    <meta name="author" content="Splunk Inc." />
    <link rel="apple-touch-icon" href="/en-US/static/@115073/img/iosicon.png" />
    <link rel="shortcut icon" href="/en-US/static/@115073/img/favicon.ico" />
    <title>
    Login -     
Splunk</title>



        <script type="text/javascript" src="/en-US/config?autoload=1"></script>             




                <script type="text/javascript">
                    var DISABLE_MESSENGER = true;
                </script>
            <script type="text/javascript" src="/en-US/static/@115073/js/common.min.js"></script>                 




        <link rel="stylesheet" href="/en-US/static/@115073/css/login.css" />             








</head>
<body>

Tags (1)
0 Karma
1 Solution

Lowell
Super Champion

You can't easily call splunk web from the commandline and expect anything readable. The actual searching process is all kicked off via AJAX voodo. Nothing easily parseable like straight HTML tables.... However, splunk offers some nice features via it's REST API.

Check out Intro to REST API Tutorial for a quick way to get started. For your question specifically, see "Searching" section.

The example shown there uses "curl" but you should be able to translate that to work with "wget" if "curl" isn't available.

curl  -k -u admin:changeme  -d 'search="search error | head 10"' -d "output_mode=csv" https://localhost:8089/servicesNS/admin/search/search/jobs/export

Change "output_mode" to "raw", "xml", or "json" depending on your needs.

View solution in original post

Lowell
Super Champion

You can't easily call splunk web from the commandline and expect anything readable. The actual searching process is all kicked off via AJAX voodo. Nothing easily parseable like straight HTML tables.... However, splunk offers some nice features via it's REST API.

Check out Intro to REST API Tutorial for a quick way to get started. For your question specifically, see "Searching" section.

The example shown there uses "curl" but you should be able to translate that to work with "wget" if "curl" isn't available.

curl  -k -u admin:changeme  -d 'search="search error | head 10"' -d "output_mode=csv" https://localhost:8089/servicesNS/admin/search/search/jobs/export

Change "output_mode" to "raw", "xml", or "json" depending on your needs.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...