I'm trying to call the Rest API using the new cmdlet, invoke-restmethod, and I'm experiencing odd connectivity errors when calling a couple of the search methods.
I'm able to successfully submit a search job using this command-let, and I get back a valid SID. When I try to retrieve the status of the SID, or the search results for the SID, I get an odd connectivity error. The syntax of the call is as follows:
invoke-restmethod -uri https://usvciwbs701:8091/services/search/jobs/<sid>; -credentials $myCredObj
I immediately get the following error returned:
> invoke-restmethod : The underlying connection was closed: An unexpected
> error occurred on a send.
> At line:1 char:1
> + invoke-restmethod -uri https://usvciwbs701.usvci001.vci.na.vwg:8089/services/sea
> ...
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> + CategoryInfo : InvalidOperation:
> (System.Net.HttpWebRequest:HttpWebRequest)
> [Invoke-RestMethod], WebException
> + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
It's very odd, as I'm able to submit jobs using this commandlet, and I'm able to query all jobs, but as soon as I try to query an individual SID or it's return results, I get my connection dropped.
Additionally, when I query the SID using Curl, I get back the expected results. Is this a known issue with using Powershell to call the REST API directly, or should this work?
Any tips or troubleshooting idea's are welcomed,
Thanks
Here is a search results function which works reliably for me. You can alter the SecurityProtocolType to match the sslVersions type(s) exposed in your search head's server.conf file (server.conf:[applicationsManagement]:sslVersions)
function get-search-results {
param ($cred, $server, $port, $search)
# This will allow for self-signed SSL certs to work
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 #(ssl3,SystemDefault,Tls,Tls11,Tls12)
$url = "https://${server}:${port}/services/search/jobs/export" # braces needed b/c the colon is otherwise a scope operator
$the_search = "search $($search)" # Cmdlet handles urlencoding
$body = @{
search = $the_search
output_mode = "json"
}
$SearchResults = Invoke-RestMethod -Method Post -Uri $url -Credential $cred -Body $body -TimeoutSec 300
return $SearchResults
}
$searchResults = get-search-results -server $server -port $port -cred $cred -search "index=_internal earliest=-5m | stats count by sourcetype"
I am a newbie with splunk but was successful in connecting to the API server and download the log as xml and feed it to sql server. Do you have any sort of error trapping in your powershell? Let me know if I can help in some way.
So far, I've not had any luck getting invoke-restmethod to play with the Splunk Rest API. I'm chalking it up as a bug with this cmdlet, as I'm able to use System.Net.WebRequest successfully as an alternate way to call the API with Powershell. This is a little more involved than just using the invoke-restmethod cmdlet, but it seems to work.
I can't tell from the error (which I hate when that happens), but this may be related to PowerShell really really hating to work with self-signed certificates. Does your Splunk endpoint have a real cert, or a self-signed one? Assuming it's the latter, a workaround is to grab the Splunk PowerShell Resource Kit, and execute the Disable-CertificateValidation cmdlet prior to running any calls against the REST endpoint. That cmdlet should affect anything done in the same PowerShell session.
So far, I've not had any luck getting invoke-restmethod to play with the Splunk Rest API. I'm chalking it up as a bug with this cmdlet, as I'm able to use System.Net.WebRequest successfully as an alternate way to call the API with Powershell. This is a little more involved than just using the invoke-restmethod cmdlet, but it seems to work.
Check in index=_internal, pivot on source or sourcetype.
Thanks for the quick response. Sorry, I failed to mention, that I am disabling certificate validation using the disable-certificatevalidation cmdlet which does appear to be working, as I'm able to submit job requests, and query all jobs. Do you know if Splunk log's REST api requests anywhere? I'm wondering if that might shed any light on why the connection is being dropped on these API calls