I would like to send a search/query to Splunk REST API, and return a search id to later consume the results.
I can achieve the desired behavior with the below curl:
#!/bin/bash
user='my_user'
pass='my_pass'
search='search index=short sourcetype=src | head 5'
curl -u $user:$pass -k https://111.22.33.44:8089/services/search/jobs -d search="$search"
which returns:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<sid>234523452435.6556_234234-3J3J-34J4-2345-123456678E3</sid>
</response>
Here are the relevant Go snippets in which I am trying to achieve the same:
Main:
//main.go
sid, err := conn.Query()
if err != nil {
fmt.Println("err creating search: %s", err)
} else {
fmt.Println("sid:", sid)
}
Query:
// query.go
func (conn SplunkConnection) Query() (string, error) {
data := make(url.Values)
data.Add("output_mode", "json")
data.Add("search%20index%3Dshort%20sourcetype%3Dsrc%20%7C%20head%205", "search")
data.Add("-60m%40m", "earliest")
data.Add("-10m%40m", "latest")
// try httpGet() here
sid, err := conn.httpPost(fmt.Sprintf("%s/services/search/jobs", conn.BaseURL), &data)
if err != nil {
return "", err
}
return string(sid), err
}
Helper:
// http.go
func (conn SplunkConnection) httpPost(url string, data *url.Values) (string, error) {
return conn.httpCall(url, "POST", data)
}
What I expect is a response containing just a JSON blob with my SID. Instead, it returns a huge JSON, which appears to be contain all current jobs at the /services/search/jobs endpoint.
How can I adjust my code to return just the SID? (I intend to poll it for completion and retrieve the results later, but don't need help with this...yet).
