Community:Search through REST perl

From Splunk Wiki

Jump to: navigation, search


Sample: How to run a search through REST in Perl

     1  #!/usr/bin/perl -w
     2  # based on the web page:
     3  #   http://blogs.splunk.com/2011/08/02/splunk-rest-api-is-easy-to-use/
     4  # by F.K. 
     5  # Modified by Masa@Splunk
     6  # 
     7  
     8  # modules
     9  use strict;
    10  use Data::Dumper;
    11  $Data::Dumper::Indent=1;
    12  use LWP::UserAgent;  # Module for https calls
    13  use XML::Simple;     # convrt xml to hash
    14  use URI::Escape;     # sanitize searches to web friendly characters
    15  
    16  # Search
    17  #  Note: be careful with quota and special characters
    18  my $SEARCH;
    19  $SEARCH ='
    20  search index=_internal source="*metrics.log*" per_sourcetype_thruput earliest=-4h@h  
    21         | timechart span=1h sum(kb) by series
    22  ';
    23  
    24  # If we want to call a saved search
    25  # $SEARCH = '|savedsearch "DasDnsDQ"';
    26  
    27  
    28  # init environment 
    29  my $base_url = 'https://10.10.10.1:8089';
    30  my $username = 'admin';
    31  my $password = 'changeme';
    32  my $app      = 'search';
    33  
    34  my $XML = new XML::Simple;
    35  my $ua = LWP::UserAgent -> new;
    36  
    37  my $post;         # Return object for web call
    38  my $results;      # raw results from Splunk
    39  my $xml;          # pointer to xml hash
    40  
    41  # Uncomment below to turn off certificate validation in case certificate failure happens and stops this program.
    42  #$ua->ssl_opts(verify_hostname => 0);
    43  
    44  
    45  # Request a session Key 
    46  $post = $ua->post(
    47           "$base_url/servicesNS/admin/$app/auth/login",
    48           Content => "username=$username&password=$password"
    49        );
    50  $results = $post->content;
    51  $xml = $XML->XMLin($results);
    52  
    53  # Extract a session key
    54  my $ssid = "Splunk ".$xml->{sessionKey};
    55  print "Session_Key(Authorization): $ssid\n";
    56  
    57  # Add session key to header for all future calls
    58  $ua->default_header( 'Authorization' => $ssid);
    59  
    60  # Perform a search
    61  $post = $ua->post(
    62           "$base_url/servicesNS/$username/$app/search/jobs", 
    63           Content => "search=".uri_escape($SEARCH)
    64        );
    65  $results = $post->content;
    66  $xml = $XML->XMLin($results);
    67  
    68  # Check for valid search
    69  unless (defined($xml->{sid})) {
    70     print "Unable to run command\n$results\n";
    71     exit;
    72  }
    73  
    74  # Get Search ID
    75  my $sid = $xml->{sid};
    76  print  "SID(Search ID)            : $sid\n";
    77  
    78  
    79  # Check the search Status
    80  # Repeat until isDone is 1
    81  #   <s:key name="isDone">1</s:key>
    82  my $done;
    83  do {
    84     sleep(2);
    85     $post = $ua->get(
    86              "$base_url/services/search/jobs/$sid/"
    87           );
    88     $results = $post->content;
    89     if ( $results =~ /name="isDone">([^<]*)</ ) {
    90        $done = $1;
    91     } else {
    92        $done = '-';
    93     }
    94     print "Progress Status:$done: Running\n";
    95  } until ($done eq "1");
    96  
    97  
    98  # Get Search Results
    99  $post = $ua->get(
   100           "$base_url/services/search/jobs/$sid/results?output_mode=csv&count=0"
   101        );
   102  $results = $post->content;
   103  #$xml = $XML->XMLin($results);
   104  print "\nResults:\n";
   105  print "--------------\n";
   106  print "$results";
   107  print "\nSearch is completed.\n\n";
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk