Solved: Re: My dbxquery search via REST API results in "er...

johnwalk · ‎10-27-2016

attempting to query a database via the REST API (using python requests package) --

getting the session key works fine:

r = requests.post("<host>/services/auth/login",data={"username":<username>,"password":<password>},params={"output_mode":"json"})
sessionkey = r.json()['sessionKey']

and a relatively simple dbxquery call POSTs without error:

 r = requests.post("<host>/services/search/jobs",headers={"Authorization":"Splunk {}".format(sessionkey)},data={"output_mode":"json","query":"| dbxquery connection='MXProd' query='SELECT * FROM mx.mx.institutions'"})
sid = r.json()['sid']

for the job ID, with the query developed based on a matching query within the web browser frontend. However, trying to pull the result of the dbxquery down results in the error:

'External search command \'dbxquery\' returned error code 1. Script output = "HTTPError: HTTP 404 Not Found -- \n In handler \'conf-db_connections\': Could not find object id=\'MXProd\'\n"'

The same query ran without issue in the frontend, and I can't seem to find anything in the API examples that would point to the error -- but clearly I'm missing a step. Any ideas?

Running Splunk Enterprise 6.4.3 and Splunk DB Connect version 2.3.1

johnwalk · ‎10-28-2016

Solved issue -- based on the structure of the query, I was expecting search to be a KV parameter passed in through the data field of the POST query. Rather, the splunk search syntax should be preserved as the full string, with that passed in as the POST body, e.g.

r = requests.post("<host>/services/search/jobs",headers={"Authorization":"Splunk {}".format(sessionkey)},data="search = | dbxquery query=\"SELECT * FROM mx.mx.institutions\" connection=\"MXProd\"",params={"output_mode":"json"})

which works as expected.

View solution in original post

johnwalk · ‎10-28-2016

Solved issue -- based on the structure of the query, I was expecting search to be a KV parameter passed in through the data field of the POST query. Rather, the splunk search syntax should be preserved as the full string, with that passed in as the POST body, e.g.

r = requests.post("<host>/services/search/jobs",headers={"Authorization":"Splunk {}".format(sessionkey)},data="search = | dbxquery query=\"SELECT * FROM mx.mx.institutions\" connection=\"MXProd\"",params={"output_mode":"json"})

which works as expected.

klops · ‎10-27-2016

backend dbx2.log showed something fairly generic. It almost looks as if the interpreter couldn't find the proper connection stanza in the db_connections.conf file:

2016-10-27T20:25:52+0000 [ERROR] [dbxquery.py], line 41 : action=dbxquery_command_failure error=HTTP 404 Not Found --
 In handler 'conf-db_connections': Could not find object id='MXProd'
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxquery.py", line 39, in wrap
    return func(*args, **kwargs)
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxquery.py", line 256, in generate
    connection_info = self._retrieve_connection_info(user, session_key)
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxquery.py", line 147, in _retrieve_connection_info
    db, self.db_health = ci.get_connection(self.connection, user, session_key)
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/rest_api/connection_info.py", line 30, in get_connection
    dbm, conn = _get_conn_params(connection_name, service)
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/rest_api/connection_info.py", line 64, in _get_conn_params
    conn = ConnectionConf(splunk_service, connection_name).content
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/connection_conf.py", line 10, in __init__
    client.Entity.__init__(self, service, path, **kwargs)
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/../../splunk_sdk-1.5.0-py2.7.egg/splunklib/client.py", line 872, in __init__
    self.refresh(kwargs.get('state', None))  # "Prefresh"
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/../../splunk_sdk-1.5.0-py2.7.egg/splunklib/client.py", line 1011, in refresh
    self._state = self.read(self.get())
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/../../splunk_sdk-1.5.0-py2.7.egg/splunklib/client.py", line 981, in get
    return super(Entity, self).get(path_segment, owner=owner, app=app, sharing=sharing, **query)
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/../../splunk_sdk-1.5.0-py2.7.egg/splunklib/client.py", line 738, in get
    **query)
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/../../splunk_sdk-1.5.0-py2.7.egg/splunklib/binding.py", line 286, in wrapper
    return request_fun(self, *args, **kwargs)
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/../../splunk_sdk-1.5.0-py2.7.egg/splunklib/binding.py", line 68, in new_f
    val = f(*args, **kwargs)
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/../../splunk_sdk-1.5.0-py2.7.egg/splunklib/binding.py", line 660, in get
    response = self.http.get(path, self._auth_headers, **query)
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/../../splunk_sdk-1.5.0-py2.7.egg/splunklib/binding.py", line 1150, in get
    return self.request(url, { 'method': "GET", 'headers': headers })
  File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/../../splunk_sdk-1.5.0-py2.7.egg/splunklib/binding.py", line 1205, in request
    raise HTTPError(response)
HTTPError: HTTP 404 Not Found --
 In handler 'conf-db_connections': Could not find object id='MXProd'

My dbxquery search via REST API results in "error code 1. Script output = "HTTPError: HTTP 404 Not Found" - how to fix?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases