Splunk Search

REST API for pre-sorted data

abarkerSendGrid
New Member

Hi Splunk Pro's,

I'm looking for a way to grab processed, sorted data via a REST API call. For instance when logged into the Splunk search dashboard, I can get a sorted list of data based on an event that I'm able to specify:

"event=spamreport | top limit=50 userid | table userid, count"

which processes the raw log data and returns an organized list of userid's sorted by their total spam report count.

Is there a way to get this pre-processed, sorted data via a REST API call? Using the same search string above, I've tried both synchronously returning results with /search/search/jobs/export as well as asynchronously returning results with /search/search/jobs to create a job and /search/search/jobs/JOBID/results to retrieve the data once the job is complete. However, both approaches only give me the raw data, not the sorted list that I can see from the web search dashboard. I've tried playing with the output_mode, but no option that I'm aware of produces the desired result.

Are there any options other than a REST API call? I'm looking for something that is easily doable from the command line or a script and that doesn't require running the search from the same server that contains the log data.

Thanks very much!

Tags (2)
0 Karma

Neeraj_Luthra
Splunk Employee
Splunk Employee

If you specify the "f" parameter in your request, you should be able to get your desired aggregated output. You can do this with both jobs/${search_id}/results as well as jobs/export. Below is a small code snippet for both of these calls.


curl -k -u admin:changeme https://localhost:8089/services/search/jobs/export -d search="search index%3D_internal | top limit%3D10 sourcetype" -d output_mode=csv -d f=sourcetype -d f=count
OR
curl -k -u admin:changeme https://localhost:8089/services/search/jobs/${search_id]/results --get -d output_mode=csv -d f=sourcetype -d f=count

Also, I am not sure if you are aware of the Splunk SDKs (Java, JavaScript, Python, PHP) but I would encourage accessing the REST APIs through them as they make it easier for you to manage and work with Splunk objects and you can stay in the comfort zone of your preferred language.

If you need help or code sample to implement the commands above through any of the SDKs, feel free to contact me.

Hope this helps.

0 Karma

Damien_Dallimor
Ultra Champion

Have you tried adding the sort command into the search pipeline you are using in the REST call

search event=spamreport | top limit=50 userid | table userid, count | sort - count
0 Karma

abarkerSendGrid
New Member

Is this aggregated output format possible with a REST API call? Is there another way to go about this? The only requirement for me is that the API search doesn't require itself to be run on the same machine as the data.

0 Karma

abarkerSendGrid
New Member

Adding the sort command didn't get me what I'm looking for. Neither for both synchronous and asynchronous searches.

Let me describe more specifically what I'm looking for. Below is the format of output I would like to get from the REST call.

userid count
340930 496
129298 434
34465 128
100891 80

This is possible by running the following search command directly on the server where the data exists.

/opt/splunk/bin/splunk search "search event=spamreport | top limit=50 userid | table userid, count | sort - count" output=rawdata -auth $SPLUNKUSER:$SPLUNKPASS 2>/dev/null

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...