Hi
I'm trying to understand whether using REST APIs , can I -
My goal is -
a. Use a programming language wrapper using programming language wrapper and REST API
b. manipulate/summarize the data in required format
c. use external charting library
d. generate the reports/visualizations
e. schedule this script and run as various user(s) to get relevant data
Any pointers would be great.
thanks, ronak
Hi Martin
Below is the script that got from the link and associated result ..made it work for my environment..
I was expecting to see 10 rows (as I see when I execute the same thru Search bar in browser).
Am I doing something wrong here?
thanks, ronak
---------------------- result --------------------
Ronaks-MacBook-Air:bin root# python rb9.py
search index=* | head 10
({'status': '201', 'content-length': '90', 'x-content-type-options': 'nosniff', 'expires': 'Thu, 26 Oct 1978 00:00:00 GMT', 'vary': 'Authorization', 'server': 'Splunkd', 'connection': 'Close', 'location': '/services/search/jobs/1421682152.110', 'cache-control': 'no-store, no-cache, must-revalidate, max-age=0', 'date': 'Mon, 19 Jan 2015 15:42:32 GMT', 'x-frame-options': 'SAMEORIGIN', 'content-type': 'text/xml; charset=UTF-8'}, '\n\n 1421682152.110\n\n')
---------------------- script --------------------
import urllib
import httplib2
from xml.dom import minidom
baseurl = 'https://localhost:8089'
userName = 'admin'
password = 'admin'
searchQuery = 'index=* | head 10'
serverContent = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/auth/login',
'POST', headers={}, body=urllib.urlencode({'username':userName, 'password':password}))[1]
sessionKey = minidom.parseString(serverContent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue
if not searchQuery.startswith('search'):
searchQuery = 'search ' + searchQuery
print searchQuery
print httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/search/jobs','POST',
Hi @ronak
Please be sure that when responding to someone's answer from here on out, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your response in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation.
I can't convert your current "answer" to a comment under martin_mueller's answer because of the character count being too large. If your response is hitting a character count limit, just be sure to break it up into multiple comments. Thanks and happy Splunking!
Patrick
Here's a tutorial on how to run searches using the REST API: http://docs.splunk.com/Documentation/Splunk/6.2.1/RESTTUT/RESTsearches
Those searches will be run as whatever user you used to log in, respecting the user's namespace.
Do consider using one of the Splunk SDKs at http://dev.splunk.com/view/sdks/SP-CAAADP7 instead of calling the REST API yourself, should save you a lot of work on standard tasks such as running searches and getting the results.
The response you received points you to the job that has been created for your search (jobid 1421682152.110
). You can query the job as to whether it has finished, whether there's a preview already available, what the eventual search results are, and so on.