|
Hello, I have several questions/issues with the Splunk API, so I'll try to keep this short and concise. First - does splunk offer a WSDL? That would really solve all this for me. If not, then here's my next question of many: What's causing this error? <s:item>Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the left hand side.</s:item> I get that when I attempt to call the Splunk API with an HP OO HTTP Client GET operation. I have ideas for workarounds (including using WMI to run splunk CLI search commands and getting results) but they have their own issues. I'd like to tackle this one first. Thanks in advance. |
|
I would suggest to modify the "search" parameter in your POST request to :
...instead of :
...as specified in the REST API reference for the search/jobs endpoint: (...) (...) The error you are seeing is shown because your search string is the equivalent of typing " This is because the Splunkweb search bar silently appends the search terms you provide to the search commmand, which results in a separate "splunk search" process. If you compare a search job entry from a Splunkweb ad-hoc search @ Essentially, you'll want to modify your POST request so that the name of the job object you create @ @merritsa: Thank you for accepting my answer. Did my instructions resolve your problem?
(27 Jan, 12:28)
hexx ♦
1
Thanks, this got me a lot closer. I revised the command to instead be search cdp * | head 10,output_mode=xml, since the command "search" seems to be accounted for elsewhere in the post operation input. Though I still don't seem to have results. Just a lack of an error message. In looking through it, it seems this might be why: <s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key> I'll try to figure out how to denote a proper search time.
(27 Jan, 12:29)
merritsa
1
You need to pass the "earliest_time" and "latest_time" parameters in your POST request to do so, just like you did for "search". You can find the specifications of these parameters in the "Request" table of the REST API reference documentation I linked earlier.
(27 Jan, 12:36)
hexx ♦
|
|
Not a WSDL , but an endpoint reference can be found here : http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTlist Thanks, I'll check it out.
(25 Jan, 15:05)
merritsa
1
So based on that reference page, as far as I can tell, it's formatted correctly. What's the next step to ts this?
(26 Jan, 07:13)
merritsa
|
Maybe it would help if you post your search string to check the syntax. ;-)
Of course, my apologies :) I'm on a conference call and replying to both IM and email too...I'm a terrible multi-tasker.
Here you go...
Post from the HTTP Client POST operation in OO:
https://<splunk_server/services/search/jobs/
search=cdp * | head 10,output_mode=xml
inputValueSet search=cdp * | head 10,output_mode=xml
inputNameList search,output
delimeter ,
This returns success and gives me what looks to be an epoch time as a result. I've read that this is the name of the splunk search results (in this case, 1327527878.25639.
So then I run an HTTP Client GET to get those results, at which point I get the error I originally posted - <s:item>Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the left hand side.</s:item>.
It's down in the middle of all the xml output I get as a reply.
You created a search job and got a jobid. But if you are going to get the results you got the splunk error. That looks like your search is not send correct to splunk by the request. At http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT is a nice tutorial with some examples: curl -k -u admin:changeme -d 'search="search error"' https://localhost:8089/servicesNS/admin/search/search/jobs
Maybe the quoting/encoding of your request is wrong.
Exactly. Splunk never returns an error on the search itself when I post it.
I'll play with it some more and report back. Thanks.