Splunk provides an extensive HTTP REST interface, which allows searching, adding data, adding inputs, managing users, and more. Documentation and SDKs are provided by Splunk at http://dev.splunk.com/.
To get an idea of how this REST interaction happens, let's walk through a sample conversation to run a query and retrieve the results. The steps are essentially as follows:
- Start the query (
POST
) - Poll for status (
GET
) - Retrieve results (
GET
)
We will use the command-line program curl
to illustrate these steps. The SDKs make this interaction much simpler.
The command to start a query is as follows:
curl -u user:pass -k https://yourserver:8089/services/search/jobs -
d"search=search query"
This essentially says to use POST
on the search=search
query. If you are familiar with HTTP, you might notice that this is a standard POST
from an HTML form.
To run the query earliest=-1h index="_internal" warn | stats count by host
, we need to URL-encode the query. The command, then, is as follows...