Community:Search through REST perl
From Splunk Wiki
Sample: How to run a search through REST in Perl
1 #!/usr/bin/perl -w
2 # based on the web page:
3 # http://blogs.splunk.com/2011/08/02/splunk-rest-api-is-easy-to-use/
4 # by F.K.
5 # Modified by Masa@Splunk
6 #
7
8 # modules
9 use strict;
10 use Data::Dumper;
11 $Data::Dumper::Indent=1;
12 use LWP::UserAgent; # Module for https calls
13 use XML::Simple; # convrt xml to hash
14 use URI::Escape; # sanitize searches to web friendly characters
15
16 # Search
17 # Note: be careful with quota and special characters
18 my $SEARCH;
19 $SEARCH ='
20 search index=_internal source="*metrics.log*" per_sourcetype_thruput earliest=-4h@h
21 | timechart span=1h sum(kb) by series
22 ';
23
24 # If we want to call a saved search
25 # $SEARCH = '|savedsearch "DasDnsDQ"';
26
27
28 # init environment
29 my $base_url = 'https://10.10.10.1:8089';
30 my $username = 'admin';
31 my $password = 'changeme';
32 my $app = 'search';
33
34 my $XML = new XML::Simple;
35 my $ua = LWP::UserAgent -> new;
36
37 my $post; # Return object for web call
38 my $results; # raw results from Splunk
39 my $xml; # pointer to xml hash
40
41 # Uncomment below to turn off certificate validation in case certificate failure happens and stops this program.
42 #$ua->ssl_opts(verify_hostname => 0);
43
44
45 # Request a session Key
46 $post = $ua->post(
47 "$base_url/servicesNS/admin/$app/auth/login",
48 Content => "username=$username&password=$password"
49 );
50 $results = $post->content;
51 $xml = $XML->XMLin($results);
52
53 # Extract a session key
54 my $ssid = "Splunk ".$xml->{sessionKey};
55 print "Session_Key(Authorization): $ssid\n";
56
57 # Add session key to header for all future calls
58 $ua->default_header( 'Authorization' => $ssid);
59
60 # Perform a search
61 $post = $ua->post(
62 "$base_url/servicesNS/$username/$app/search/jobs",
63 Content => "search=".uri_escape($SEARCH)
64 );
65 $results = $post->content;
66 $xml = $XML->XMLin($results);
67
68 # Check for valid search
69 unless (defined($xml->{sid})) {
70 print "Unable to run command\n$results\n";
71 exit;
72 }
73
74 # Get Search ID
75 my $sid = $xml->{sid};
76 print "SID(Search ID) : $sid\n";
77
78
79 # Check the search Status
80 # Repeat until isDone is 1
81 # <s:key name="isDone">1</s:key>
82 my $done;
83 do {
84 sleep(2);
85 $post = $ua->get(
86 "$base_url/services/search/jobs/$sid/"
87 );
88 $results = $post->content;
89 if ( $results =~ /name="isDone">([^<]*)</ ) {
90 $done = $1;
91 } else {
92 $done = '-';
93 }
94 print "Progress Status:$done: Running\n";
95 } until ($done eq "1");
96
97
98 # Get Search Results
99 $post = $ua->get(
100 "$base_url/services/search/jobs/$sid/results?output_mode=csv&count=0"
101 );
102 $results = $post->content;
103 #$xml = $XML->XMLin($results);
104 print "\nResults:\n";
105 print "--------------\n";
106 print "$results";
107 print "\nSearch is completed.\n\n";
