Professional Documents
Culture Documents
3
REST API Tutorials
Generated: 5/01/2015 2:00 am
Table of Contents
REST API tutorials...............................................................................................1
Accessing and updating Splunk Enterprise configurations.......................1
Creating searches using the REST API.....................................................6
Examples using the Splunk REST API...................................................12
curl -k -u admin:pass
https://localhost:8089/servicesNS/nobody/search/properties/props
The response:
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/props/</id>
. . .
<entry>
<title>ActiveDirectory</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/props/ActiveDirectory
<updated>2011-09-14T15:48:40-07:00</updated>
<link
href="/servicesNS/nobody/search/properties/props/ActiveDirectory"
rel="alternate"/>
</entry>
<entry>
<title>PerformanceMonitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/props/PerformanceMoni
<updated>2011-09-14T15:48:40-07:00</updated>
<link
href="/servicesNS/nobody/search/properties/props/PerformanceMonitor"
rel="alternate"/>
</entry>
. . .
<entry>
<title>wmi</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/props/wmi</id>
<updated>2011-09-14T15:48:40-07:00</updated>
<link href="/servicesNS/nobody/search/properties/props/wmi"
rel="alternate"/>
</entry>
<entry>
<title>wtmp</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/props/wtmp</id>
<updated>2011-09-14T15:48:40-07:00</updated>
<link href="/servicesNS/nobody/search/properties/props/wtmp"
rel="alternate"/>
</entry>
</feed>
The /search/properties/props/websphere_core GET operation returns the
key/value pairs for the props.conf file webshpere_core stanza.
curl -k -u admin:pass
https://localhost:8089/servicesNS/nobody/search/properties/props/websphere_core
The response:
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>websphere_core</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/props/websphere_core</i
. . .
<entry>
<title>ANNOTATE_PUNCT</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/props/websphere_core/
<updated>2011-09-14T15:55:01-07:00</updated>
<link
href="/servicesNS/nobody/search/properties/props/websphere_core/ANNOTATE_PUNCT"
rel="alternate"/>
<content type="text">True</content>
</entry>
<entry>
<title>BREAK_ONLY_BEFORE</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/props/websphere_core/
<updated>2011-09-14T15:55:01-07:00</updated>
<link
href="/servicesNS/nobody/search/properties/props/websphere_core/BREAK_ONLY_BEFORE"
rel="alternate"/>
<content type="text">^NULL\s</content>
</entry>
. . .
<entry>
<title>maxDist</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/props/websphere_core/
<updated>2011-09-14T15:55:01-07:00</updated>
<link
href="/servicesNS/nobody/search/properties/props/websphere_core/maxDist"
rel="alternate"/>
<content type="text">70</content>
</entry>
</feed>
configs/conf-{file} endpoints
GET operations for these endpoints return entries for the stanzas in the named
configuration file, detailing the contents of the stanza as key/value pairs.
For example, the /search/configs/conf-props GET operation lists the
props.conf configuration for the default search application.
curl -k -u admin:pass
https://localhost:8089/servicesNS/nobody/search/configs/conf-props
The response, showing elided fragments of a few stanzas in props.conf.
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>conf-props</title>
<id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
<updated>2011-09-14T15:31:24-07:00</updated>
. . .
<entry>
<title>access_combined</title>
<id>https://localhost:8089/servicesNS/nobody/system/configs/conf-props/access_combin
. . .
<content type="text/xml">
<s:dict>
<s:key name="ANNOTATE_PUNCT">1</s:key>
<s:key name="BREAK_ONLY_BEFORE"></s:key>
<s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
. . .
<s:key name="maxDist">28</s:key>
<s:key name="pulldown_type">1</s:key>
</s:dict>
</content>
</entry>
. . .
<entry>
<title>exchange</title>
<id>https://localhost:8089/servicesNS/nobody/system/configs/conf-props/exchange</id>
<updated>2011-09-14T15:31:24-07:00</updated>
. . .
<content type="text/xml">
<s:dict>
<s:key name="ANNOTATE_PUNCT">1</s:key>
<s:key name="BREAK_ONLY_BEFORE"></s:key>
<s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
. . .
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="maxDist">100</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass
https://localhost:8089/servicesNS/nobody/search/configs/conf-props \
-d name=myweblogs \
-d CHARSET=UTF-8 \
-d SHOULD_LINEMERGE=false
configs/conf-{file}/{name}
Use the POST operation to create or update key/value pairs in the {name}
stanza.
Use the DELETE operation to remove a stanza from a configuration file.
5
/search/jobs/{search_id}/events
Return untransformed events of a search.
/search/jobs/{search_id}/results
Return transformed events of a search.
/search/jobs/{search_id}/summary
Return summary information for fields of a search.
/search/jobs/{search_id}/timeline
Return event distribution over time of the so-far-read untransformed events.
/saved/searches
Create or access the configuration of saved searches.
dispatchState
is one of the properties returned when accessing a search. It
provides the state of a search, which can be any of the following:
dispatchState
QUEUED
PARSING
RUNNING
PAUSED
FINALIZING
FAILED
DONE
search job properties
The GET operation for /search/jobs returns all the properties of a search. These
properties are described in the parameters to the POST operation. Search job
properties are also described in "View search job properties with the Search Job
Inspector".
performance
The GET operation for /search/jobs returns information that helps you
troubleshoot the efficiency of a search. Refer to "Execution costs" in "View
search job properties with the Search Job Inspector" for more information.
This simple example runs the search for *. It returns an XML response such as:
You need the search ID to retrieve the search, which is returned within the <sid>
tags. In the example above this is 1258421375.19.
Check status of a search
Check the status of a search job by accessing the GET operation of search/jobs/.
If you know the search's ID, you can access search/jobs/{search_id} to get
information about that search only:
curl -u admin:changeme -k
https://localhost:8089/services/search/jobs/1258421375.19
If you're not sure what searches you're running, the GET operation at search/jobs
endpoint returns a list of searches with their search IDs.
curl -u admin:changeme \
-k
https://localhost:8089/services/search/jobs/1258421375.19/results/ \
--get -d output_mode=csv
Note: This is one method that you can use to export large numbers of search
results out of Splunk Enterprise. For more information about exporting search
9
results with the REST API, as well as information about the other export methods
offered by Splunk Enterprise, see "Export search results" in the Search Manual.
Python example
Here's an example of authenticating against a Splunk server and running a
search query in Python. After running the search, the script returns the search ID
(sid).
#!/usr/bin/python -u
import urllib
import httplib2
from xml.dom import minidom
baseurl = 'https://localhost:8089'
userName = 'admin'
password = 'pass'
searchQuery = 'sourcetype=access_common | head 5'
# Authenticate with server.
# Disable SSL cert validation. Splunk certs are self-signed.
serverContent =
httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl +
'/services/auth/login',
'POST', headers={}, body=urllib.urlencode({'username':userName,
'password':password}))[1]
sessionKey =
minidom.parseString(serverContent).getElementsByTagName('sessionKey')[0].childNodes[0].n
# check if the query has the search operator
if not searchQuery.startswith('search'):
searchQuery = 'search ' + searchQuery
# Run the search.
# Again, disable SSL cert validation.
print
httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl +
'/services/search/jobs','POST',
headers={'Authorization': 'Splunk %s' %
sessionKey},body=urllib.urlencode({'search': searchQuery}))[1]
Ruby example
The following example shows how to use Ruby to authenticate against the
Splunk REST API with a generic user name and password. Then, run a search,
delete a specific search job and list out available search jobs. Note that the list is
10
returned in XML and not parsed. To parse the results from endpoints, use an
XML parser such as libxml. Also, you'll need to install the hpricot gem to get this
to work.
require 'net/https'
require 'rubygems'
require 'hpricot'
class SplunkClient
HOST = 'localhost'
PORT = 8089
USER = 'admin'
PASSWORD = 'changeme'
def splunk_ssl_post_request(path, data = nil, headers = nil)
http = Net::HTTP.new(HOST, PORT)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.post(path, data, headers).body
end
def session_key
@session_key ||= load_session_key
end
def load_session_key
doc = Hpricot(splunk_ssl_post_request("/services/auth/login",
"username=#{USER}&password=#{PASSWORD}"))
(doc/"//sessionkey").inner_html
end
def create_job query
search = "search index=internetmail #{query}"
splunk_ssl_post_request("/services/search/jobs",
"search=#{CGI::escape(search)}",
{ 'authorization' => "Splunk
#{session_key}" })
end
def list_jobs
xml = splunk_ssl_post_request("/services/search/jobs/", nil,
{'authorization' => "Splunk #{session_key}"})
puts xml
end
def search_results(sid)
doc = Hpricot(
splunk_ssl_post_request("/services/search/jobs/#{sid}/events",
nil,
11
curl -k -u alice:pass
https://localhost:8089/servicesNS/alice/myapp/saved/searches/
-d name=mysearch \
-d search=*
12
curl -k -u alice:pass
https://localhost:8089/servicesNS/alice/myapp/saved/searches/mysearch \
-d search="index=mai*"
curl -k -u admin:pass
https://localhost:8089/servicesNS/alice/myapp/saved/searches/mysearch/acl
\
-d perms.read=* \
-d owner=alice \
-d sharing=app
Edit the search at the shared location. Because the search is now a shared
resource, use <nobody> for the <user> context.
curl -k -u alice:pass
https://localhost:8089/servicesNS/nobody/myapp/saved/searches/mysearch
\
-d search="index=main"
curl -k -u admin:pass
https://localhost:8089/servicesNS/nobody/myapp/saved/searches/mysearch/move
\
-d user=nobody \
-d app=otherapp
curl -k -u admin:pass
https://localhost:8089/servicesNS/-/-/saved/searches
curl -k -u alice:pw
https://localhost:8089/servicesNS/-/-/saved/searches
14