Making Splunk searches using REST API

When you have already learned how to make search requests in Splunk GUI, it may be nice to figure out how do the same from your own scripts using the Splunk REST API.

Splunk API

It’s really easy!

Ok, we have a Splunk SIEM account:

user="user"
pass="Password123"

And we want to execute this search request:

search='search index="index_nessus" host="192.168.56.50"'

First of all we need to get ID of our search request (make sure that 8089 port is open! 😉):

curl -u $user:$pass -k https://192.168.56.101:8089/services/search/jobs -d search="$search"

<?xml version="1.0" encoding="UTF-8"?>
<response>
<sid>1490878950.3029</sid>
</response>

Now, having this ID we can check if the results of this search request are available:

curl -u $user:$pass -k https://192.168.56.101:8089/services/search/jobs/1490878950.3029

This command will return a huge a xml. We need to figure out if it is finished or not:

curl -s -u $user:$pass -k https://192.168.56.101:8089/services/search/jobs/1490878950.3029  | grep "dispatchState"
<s:key name="dispatchState">DONE</s:key>

When dispatchState is DONE, we can get the results:

curl -u $user:$pass -k https://192.168.56.101:8089/services/search/jobs/1490878950.3029/results/ --get -d output_mode=csv

This command will return 200 lines of text like this:

...
"index_nessus~11~C780C931-CD4E-4CE4-ACEC-6240AF49DAB2","11:3468150",1490703404,"{""scan_group"":""vm_moscow"", ""plugin_output"":""Port 135/tcp was found to be open"", ""protocol"":""tcp"", ""severity"":""0"", ""script_version"":""$Revision: 1.73 $"", ""risk_factor"":""None"", ""solution"":""n/a"", ""plugin_modification_date"":""2017/03/27"", ""pluginName"":""Netstat Portscanner (WMI)"", ""agent"":[""windows""], ""pluginFamily"":""Port scanners"", ""synopsis"":""The list of open ports could be retrieved via netstat."", ""pluginID"":""34220"", ""plugin_name"":""Netstat Portscanner (WMI)"", ""fname"":""wmi_netstat.nbin"", ""plugin_publication_date"":""2008/09/16"", ""plugin_type"":""local"", ""svc_name"":""epmap"", ""port"":""135"", ""description"":""Using the WMI interface, it was possible to get the open ports by running the netstat command remotely.""}",14,"192.168.56.101"
...

It’s some plugin data from Nessus scan results.

And if we use “| table ” operator, in results we also get great parsable csv table. Therefore, you do not need to mess around with the creation of reports, as in the case of searching in Splunk graphical interface.

Leave a Reply

Your email address will not be published. Required fields are marked *