Hi all,
Before I dive into the issue, I'd like to explain the goal:
I have a search that returns some fields including an SID. From there I am attempting a left join on the SID to include the results by using the |REST
endpoint. I've successfully returned results via a curl, but as of yet I have not succeeded using |REST
.
I have attempted these tests on both expired and non-expired SIDs.
Below is an example of successfully returning results via curl:
curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/resu...
If I run the following, I successfully retrieve all the various metadata about the search's dispatch itself:
| REST /servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/
However, when I attempt to retrieve the results with the following, I get an error about failing to fetch the rest endpoint:
| REST /servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/results
I've also tried various forms of GET as described here:
All of this leads me to believe that this is not possible and that the |REST
command does not have access to all of the endpoints available via curl. If this is the case, is there a way to do what I'm attempting in another fashion, or do I need to resort to a script? A script is possible, but ideally, I'd like to keep it entirely in SPL.
Edit: We are also considering using |loadjob
but the sid
argument seems to treat fields as literal strings. specifying savedsearch=
has potential, but requires a user:app:search definition, which seems clumsy.
While probably not best practice, you can use the map function in conjunction with loadjob (as you mentioned) for a thing like this. Assuming your base result set is not massive, you can store it in a lookup table (haven't tested with KV store but don't see why not) and re-attach it to the results using lookup. If anyone knows how to make map simply append the results like a join instead of replacing the results, please chime in.
YourSearchHere | outputlookup tempForMap.csv
| map search="| loadjob $sid$ | eval sid=$sid$" maxsearches=10
| lookup tempForMap.csv sid OUTPUTNEW
Note that the above assumes your SIDs are in a column called sid. If you can share additional information about the larger objective here, maybe there's a better way.
Please let us know how it's panning out or if you found a better solution.