when I ran a script to access Splunk API , and got this error:
Search Factory: Unknown search command '1'.
could you please help on this?
Remember that the UI will append the inferred search
command, but the API will not. This means that a search string passed to the API needs to either start with the search
command or |
to use a generating command.
See the Python Example for sample code that handles this.
If you believe this isn't the issue please paste the search query you are passing to the API for further comment.
here is my query:
myquery='search index=anyindex sourcetype=anysourcetype earliest=-7d |fields * | fillnull'
If successfully got the data, then I can cat res.csv; otherwise the file will be not generated. ,my scripts likes:
myquery='search index=anyindex sourcetype=anysourcetype earliest=-7d |fields * | fillnull'
mystr="curl -k -u username:password https://splkurl//services/search/jobs/export --data-urlencode search=${myquery} -d output_mode=csv -o res.csv"
Managed to get results using the following script:
#!/bin/bash
myquery='search index=_internal component=* earliest=-7d | stats sum(cpu_seconds) by component | fields * | fillnull'
curl -k -u user:pass https://localhost:8089/services/search/jobs/export --data-urlencode "search=${myquery}" -d output_mode=csv -o res.csv
my query likes "search='search index=xxxxx.....'". Do you have any document that mentioned SPLUNK API NOT supporting special characters?
After I removed the fillnull then the query works with API. Do you know the API support fillnull or not?
There is no reason for the API not to support the fillnull
command.
I managed to get it working using the following as an example:
search=search+index%3D_internal+component%3D%2A+%7C+stats+sum%28cpu_seconds%29+by+component+%7C+fillnull+value%3DNULL
Please share you full query for further debugging, you can mask anything sensitive if needed.
it sounds the API is not supporting "fillnull value=NULL". I debug line be line and stuck on this line. Any solution?
Hi jennifer, it would be helpful if you could share the sample of the code you use to post the search.
If you are building the POST data yourself, there should not be quotes inside your search parameter, for example:
search=search+index%3D_internal
(The equal is url encoded)