I have a query which uses "subsearch", so it has a search keyword within the query. I get results when I run this query as a normal user but this query returns no data when it is run by a bot_user through the rest endpoint. I am not sure if it is due to the "search" keyword in the query or due to some privileges difference between normal user and bot_user.
Hi vijaydudipala88,
Yes, queries can contain the "search" keyword and accessed through REST endpoints. For details, see: http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTREF/RESTsearch
The API supports token-based authentication using the standard HTTP Authorization header. This is the recommended method to programmatically access resources. For details, please refer to documentation here:
http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTUM/RESTusing#Authentication_and_authorization
Hope this helps. Thanks!
Hunter
Can you post a simplified version of the query here for review?