Get Aggregate Results instead of Events from Splunk REST API

Question

Having trouble querying Splunk API for a set of events by day. My goal is to return JSON with seven days of event counts (impressions and uniques) for a set of server logs. The search is as follows:

index=assets_index gid=30 | timechart count(clientip) AS Impressions dc(clientip) AS Uniques

When I run this search, and get the results in terminal:

curl -u admin:ourpass -k https://ourserver.com:8089/services/search/jobs -d"search=search index=assets_index gid=30 | timechart count(clientip) AS Impressions dc(clientip) AS Uniques"
curl -u admin:ourpass \
     -k https://ourserver.com:8089/services/search/jobs/1357597855.2304/results/ \
     --get -d output_mode=json

I get the raw events from the search and not the results (running this in the Web search App returns the results I want). I'm sure there's an easy way to request results that gets this to work, but I can't find it. Help.

Answer 1

You are very close ... just the way you are passing parameters is wrong. Each request parameter should be passed individually with the -d flag AND the parameter values need to be URL-encoded. Try this and see if it works right for you:

curl -u admin:ourpass -k https://ourserver.com:8089/services/search/jobs -d search="search index%3Dassets_index gid%3D30 | timechart count(clientip) AS Impressions dc(clientip) AS Uniques"

Not sure what language is your webapp in, Splunk also has SDKs in multiple languages. It might be easier to go through the SDKs and let them handle talking to Splunk.