Community:Search through REST perl
From Splunk Wiki
Sample: How to run a search through REST in Perl
1 #!/usr/bin/perl -w 2 # based on the web page: 3 # http://blogs.splunk.com/2011/08/02/splunk-rest-api-is-easy-to-use/ 4 # by F.K. 5 # Modified by Masa@Splunk 6 # 7 8 # modules 9 use strict; 10 use Data::Dumper; 11 $Data::Dumper::Indent=1; 12 use LWP::UserAgent; # Module for https calls 13 use XML::Simple; # convrt xml to hash 14 use URI::Escape; # sanitize searches to web friendly characters 15 16 # Search 17 # Note: be careful with quota and special characters 18 my $SEARCH; 19 $SEARCH =' 20 search index=_internal source="*metrics.log*" per_sourcetype_thruput earliest=-4h@h 21 | timechart span=1h sum(kb) by series 22 '; 23 24 # If we want to call a saved search 25 # $SEARCH = '|savedsearch "DasDnsDQ"'; 26 27 28 # init environment 29 my $base_url = 'https://10.10.10.1:8089'; 30 my $username = 'admin'; 31 my $password = 'changeme'; 32 my $app = 'search'; 33 34 my $XML = new XML::Simple; 35 my $ua = LWP::UserAgent -> new; 36 37 my $post; # Return object for web call 38 my $results; # raw results from Splunk 39 my $xml; # pointer to xml hash 40 41 # Uncomment below to turn off certificate validation in case certificate failure happens and stops this program. 42 #$ua->ssl_opts(verify_hostname => 0); 43 44 45 # Request a session Key 46 $post = $ua->post( 47 "$base_url/servicesNS/admin/$app/auth/login", 48 Content => "username=$username&password=$password" 49 ); 50 $results = $post->content; 51 $xml = $XML->XMLin($results); 52 53 # Extract a session key 54 my $ssid = "Splunk ".$xml->{sessionKey}; 55 print "Session_Key(Authorization): $ssid\n"; 56 57 # Add session key to header for all future calls 58 $ua->default_header( 'Authorization' => $ssid); 59 60 # Perform a search 61 $post = $ua->post( 62 "$base_url/servicesNS/$username/$app/search/jobs", 63 Content => "search=".uri_escape($SEARCH) 64 ); 65 $results = $post->content; 66 $xml = $XML->XMLin($results); 67 68 # Check for valid search 69 unless (defined($xml->{sid})) { 70 print "Unable to run command\n$results\n"; 71 exit; 72 } 73 74 # Get Search ID 75 my $sid = $xml->{sid}; 76 print "SID(Search ID) : $sid\n"; 77 78 79 # Check the search Status 80 # Repeat until isDone is 1 81 # <s:key name="isDone">1</s:key> 82 my $done; 83 do { 84 sleep(2); 85 $post = $ua->get( 86 "$base_url/services/search/jobs/$sid/" 87 ); 88 $results = $post->content; 89 if ( $results =~ /name="isDone">([^<]*)</ ) { 90 $done = $1; 91 } else { 92 $done = '-'; 93 } 94 print "Progress Status:$done: Running\n"; 95 } until ($done eq "1"); 96 97 98 # Get Search Results 99 $post = $ua->get( 100 "$base_url/services/search/jobs/$sid/results?output_mode=csv&count=0" 101 ); 102 $results = $post->content; 103 #$xml = $XML->XMLin($results); 104 print "\nResults:\n"; 105 print "--------------\n"; 106 print "$results"; 107 print "\nSearch is completed.\n\n";