- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Powershell3 invoke-restmethod errors
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Powershell3 invoke-restmethod errors
I'm trying to call the Rest API using the new cmdlet, invoke-restmethod, and I'm experiencing odd connectivity errors when calling a couple of the search methods.
I'm able to successfully submit a search job using this command-let, and I get back a valid SID. When I try to retrieve the status of the SID, or the search results for the SID, I get an odd connectivity error. The syntax of the call is as follows:
invoke-restmethod -uri https://usvciwbs701:8091/services/search/jobs/<sid>; -credentials $myCredObj
I immediately get the following error returned:
> invoke-restmethod : The underlying connection was closed: An unexpected
> error occurred on a send.
> At line:1 char:1
> + invoke-restmethod -uri https://usvciwbs701.usvci001.vci.na.vwg:8089/services/sea
> ...
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> + CategoryInfo : InvalidOperation:
> (System.Net.HttpWebRequest:HttpWebRequest)
> [Invoke-RestMethod], WebException
> + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
It's very odd, as I'm able to submit jobs using this commandlet, and I'm able to query all jobs, but as soon as I try to query an individual SID or it's return results, I get my connection dropped.
Additionally, when I query the SID using Curl, I get back the expected results. Is this a known issue with using Powershell to call the REST API directly, or should this work?
Any tips or troubleshooting idea's are welcomed,
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a search results function which works reliably for me. You can alter the SecurityProtocolType to match the sslVersions type(s) exposed in your search head's server.conf file (server.conf:[applicationsManagement]:sslVersions)
function get-search-results {
param ($cred, $server, $port, $search)
# This will allow for self-signed SSL certs to work
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 #(ssl3,SystemDefault,Tls,Tls11,Tls12)
$url = "https://${server}:${port}/services/search/jobs/export" # braces needed b/c the colon is otherwise a scope operator
$the_search = "search $($search)" # Cmdlet handles urlencoding
$body = @{
search = $the_search
output_mode = "json"
}
$SearchResults = Invoke-RestMethod -Method Post -Uri $url -Credential $cred -Body $body -TimeoutSec 300
return $SearchResults
}
$searchResults = get-search-results -server $server -port $port -cred $cred -search "index=_internal earliest=-5m | stats count by sourcetype"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am a newbie with splunk but was successful in connecting to the API server and download the log as xml and feed it to sql server. Do you have any sort of error trapping in your powershell? Let me know if I can help in some way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So far, I've not had any luck getting invoke-restmethod to play with the Splunk Rest API. I'm chalking it up as a bug with this cmdlet, as I'm able to use System.Net.WebRequest successfully as an alternate way to call the API with Powershell. This is a little more involved than just using the invoke-restmethod cmdlet, but it seems to work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't tell from the error (which I hate when that happens), but this may be related to PowerShell really really hating to work with self-signed certificates. Does your Splunk endpoint have a real cert, or a self-signed one? Assuming it's the latter, a workaround is to grab the Splunk PowerShell Resource Kit, and execute the Disable-CertificateValidation cmdlet prior to running any calls against the REST endpoint. That cmdlet should affect anything done in the same PowerShell session.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So far, I've not had any luck getting invoke-restmethod to play with the Splunk Rest API. I'm chalking it up as a bug with this cmdlet, as I'm able to use System.Net.WebRequest successfully as an alternate way to call the API with Powershell. This is a little more involved than just using the invoke-restmethod cmdlet, but it seems to work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check in index=_internal, pivot on source or sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick response. Sorry, I failed to mention, that I am disabling certificate validation using the disable-certificatevalidation cmdlet which does appear to be working, as I'm able to submit job requests, and query all jobs. Do you know if Splunk log's REST api requests anywhere? I'm wondering if that might shed any light on why the connection is being dropped on these API calls
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
