Splunk provides an extensive HTTP REST interface, which allows searching, adding data, adding inputs, managing users, and more. Documentation and SDKs are provided by Splunk at http://dev.splunk.com/.
To get an idea of how this REST interaction happens, let's walk through a sample conversation to run a query and retrieve the results. The steps are essentially as follows:
Start the query (
POST
).Poll for status (
GET
).Retrieve results (
GET
).
We will use the command-line program cURL to illustrate these steps. The SDKs make this interaction much simpler.
The command to start a query is as follows:
curl -u user:pass -k https://yourserver:8089/services/search/jobs -d"search=search query"
This essentially says to use POST on the search=search
query. If you are familiar with HTTP, you might notice that this is a standard POST from an HTML form.
To run the query earliest=-1h index="_internal" warn | stats count by host
, we need to URL - encode the query. The command then, is as...