You can use /services/search/parser to validate SPL: smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar" https://localhost:8089/services/search/parser | jq .
{
"remoteSearch": "litsearch (index=foo sourcetype=bar) | fields keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
"normalizedSearch": "litsearch (index=foo sourcetype=bar) | fields keepcolorder=t \"_bkt\" \"_cd\" \"_si\" \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
"remoteTimeOrdered": true,
"eventsSearch": "search index=foo sourcetype=bar",
"eventsTimeOrdered": true,
"eventsStreaming": true,
"reportsSearch": "",
"isStreamingSearch": true,
"canSummarize": false,
"commands": [
{
"command": "search",
"rawargs": "index=foo sourcetype=bar",
"pipeline": "streaming",
"args": {
"search": [
"(index=foo sourcetype=bar)"
]
},
"isGenerating": true,
"streamType": "SP_STREAM"
}
]
}
smcmaster@splunk ~ % curl -s -k -u admin:***** -d output_mode=json -d q="search index=foo sourcetype=bar | bizzbuzz" https://localhost:8089/services/search/parser | jq .
{
"messages": [
{
"type": "FATAL",
"text": "Unknown search command 'bizzbuzz'."
}
]
}
smcmaster@splunk ~ % Successful parsing (such as the first example) results in 200, failure (such as the second example) results in a 400.
... View more