Splunk Search

command line search from remote host, with no splunk products installed

DTERM
Contributor

I've created a saved search on an indexer. I set the permissions such that the search is available for all apps. I've given group "everyone" read access to the search.

Now from a remote server, without any Splunk application installed, I want to run a wget against the saved URL. However, I am not able to do so. There are no firewall rules or restrictions between the two systems. The command is

wget http://myhost.mydomain.com:8000/en-US/app/search/%40go?s=hostdf

Here is a snapshot of the wget, and the resulting saved file: (Names were changed to protect the guilty). The command works, the saved search works fine, but I'm not getting the search results. Should I be able to run a saved search from the command line of a remote host that does not have any splunk apps installed? Thanks

root@remotehost:/Users/user/trash wget http://splunk-ind.mydomain.com:8000/en-US/app/search/%40go?s=fo03df

--2012-04-27 10:42:15-- http://splunk-ind.mydomain.com:8000/en-US/app/search/%40go?s=fo03df
Resolving splunk-ind.mydomain.com... 10.167.148.74, fd02:c9e3:a6c0:4705::230
Connecting to splunk-ind.mydomain.com|10.167.148.74|:8000... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://splunk-ind.mydomain.com:8000/en-US/account/login?return_to=%2Fen-US%2Fapp%2Fsearch%2F%2540go%... [following]
--2012-04-27 10:42:15-- http://splunk-ind.mydomain.com:8000/en-US/account/login?return_to=%2Fen-US%2Fapp%2Fsearch%2F%2540go%...
Reusing existing connection to splunk-ind.mydomain.com:8000.
HTTP request sent, awaiting response... 200 OK
Length: 7529 (7.4K) [text/html]
Saving to: `login?return_to=%2Fen-US%2Fapp%2Fsearch%2F%40go?s=fo03df'

100%[==================================================================================================================================>] 7,529 --.-K/s in 0.001s

2012-04-27 10:42:15 (6.42 MB/s) - `login?return_to=%2Fen-US%2Fapp%2Fsearch%2F%40go?s=fo03df' saved [7529/7529]

root@remotehost:/Users/user/trash more login\?return_to=%2Fen-US%2Fapp%2Fsearch%2F%40go\?s=fo03df
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<!-- live to code, code to live... -->

<head>
    <meta http-equiv="X-UA-Compatible" content="IE=7, IE=9, chrome=IE8" />
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <meta http-equiv="content-language" content="en_US" />
    <meta http-equiv="imagetoolbar" content="no" />
    <meta name="author" content="Splunk Inc." />
    <link rel="apple-touch-icon" href="/en-US/static/@115073/img/iosicon.png" />
    <link rel="shortcut icon" href="/en-US/static/@115073/img/favicon.ico" />
    <title>
    Login -     
Splunk</title>



        <script type="text/javascript" src="/en-US/config?autoload=1"></script>             




                <script type="text/javascript">
                    var DISABLE_MESSENGER = true;
                </script>
            <script type="text/javascript" src="/en-US/static/@115073/js/common.min.js"></script>                 




        <link rel="stylesheet" href="/en-US/static/@115073/css/login.css" />             








</head>
<body>

Tags (1)
0 Karma
1 Solution

Lowell
Super Champion

You can't easily call splunk web from the commandline and expect anything readable. The actual searching process is all kicked off via AJAX voodo. Nothing easily parseable like straight HTML tables.... However, splunk offers some nice features via it's REST API.

Check out Intro to REST API Tutorial for a quick way to get started. For your question specifically, see "Searching" section.

The example shown there uses "curl" but you should be able to translate that to work with "wget" if "curl" isn't available.

curl  -k -u admin:changeme  -d 'search="search error | head 10"' -d "output_mode=csv" https://localhost:8089/servicesNS/admin/search/search/jobs/export

Change "output_mode" to "raw", "xml", or "json" depending on your needs.

View solution in original post

Lowell
Super Champion

You can't easily call splunk web from the commandline and expect anything readable. The actual searching process is all kicked off via AJAX voodo. Nothing easily parseable like straight HTML tables.... However, splunk offers some nice features via it's REST API.

Check out Intro to REST API Tutorial for a quick way to get started. For your question specifically, see "Searching" section.

The example shown there uses "curl" but you should be able to translate that to work with "wget" if "curl" isn't available.

curl  -k -u admin:changeme  -d 'search="search error | head 10"' -d "output_mode=csv" https://localhost:8089/servicesNS/admin/search/search/jobs/export

Change "output_mode" to "raw", "xml", or "json" depending on your needs.

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...