douxun4860 2018-03-02 21:45
浏览 129
已采纳

将查询发布到Golang中的Splunk REST API / search / jobs /端点

I would like to send a search/query to Splunk REST API, and return a search id to later consume the results.

I can achieve the desired behavior with the below curl:

#!/bin/bash

user='my_user'
pass='my_pass'

search='search index=short sourcetype=src | head 5'

curl -u $user:$pass -k https://111.22.33.44:8089/services/search/jobs -d search="$search"

which returns:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <sid>234523452435.6556_234234-3J3J-34J4-2345-123456678E3</sid>
</response>

Here are the relevant Go snippets in which I am trying to achieve the same:

Main:

  //main.go
    sid, err := conn.Query()
    if err != nil {
            fmt.Println("err creating search: %s", err)
    } else {
            fmt.Println("sid:", sid)
    }

Query:

    // query.go
    func (conn SplunkConnection) Query() (string, error) {
            data := make(url.Values)
            data.Add("output_mode", "json")
            data.Add("search%20index%3Dshort%20sourcetype%3Dsrc%20%7C%20head%205", "search")
            data.Add("-60m%40m", "earliest")
            data.Add("-10m%40m", "latest")

        // try httpGet() here
        sid, err := conn.httpPost(fmt.Sprintf("%s/services/search/jobs", conn.BaseURL), &data)
        if err != nil {
                return "", err
        }

        return string(sid), err
}

Helper:

// http.go
func (conn SplunkConnection) httpPost(url string, data *url.Values) (string, error) {
        return conn.httpCall(url, "POST", data)
}

What I expect is a response containing just a JSON blob with my SID. Instead, it returns a huge JSON, which appears to be contain all current jobs at the /services/search/jobs endpoint.

How can I adjust my code to return just the SID? (I intend to poll it for completion and retrieve the results later, but don't need help with this...yet).

  • 写回答

1条回答 默认 最新

  • douju2053 2018-03-02 22:34
    关注

    You seem to have reversed your postdata parameters.

                data.Add("search%20index%3Dshort%20sourcetype%3Dsrc%20%7C%20head%205", "search")
    

    This becomes search index=short sourcetype=src | head 5 = search, which is the reverse of what you want.

    The key comes first, then the value, but you have specified the value first, then the key.

    I think this should instead be:

                data.Add("search", "search%20index%3Dshort%20sourcetype%3Dsrc%20%7C%20head%205")
    

    I suspect the same is true of some of your other calls to url.Values.Add(), so you should check them all and be sure.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 本题的答案是不是有问题
  • ¥15 关于#r语言#的问题:(svydesign)为什么在一个大的数据集中抽取了一个小数据集
  • ¥15 C++使用Gunplot
  • ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?
  • ¥15 蓝桥杯单片机第十三届第一场,整点继电器吸合,5s后断开出现了问题
  • ¥15 file converter 转换格式失败 报错 Error marking filters as finished,如何解决?
  • ¥15 Arcgis相交分析无法绘制一个或多个图形