It's life Jim, but not as we know it


Query Splunk, the easy way, with plain old JavaScript

Sometimes you just need the basics. This post walks you through the simplest, quickest way to query data from Splunk, using plain old JavaScript. There's no 3rd party plug-ins or SDK required and no opinionated frameworks to deal with. 

You will need:
  • A splunk instance (get yours here if you don't have one)
  • An authorisation token
  • Node.JS and npm installed
If you don't have an auth token, request one from your Administrator. If you are an admin, just create a token using the following cURL command in Terminal (replace <HOST> with your host instance). Change the +300d if you want to adjust the time before the token expires. 

curl -k -u UID:PWD -X POST https://<HOST>:8089/services/authorization/tokens?output_mode=json --data name=admin --data audience=Managers --data-urlencode expires_on=+300d 

for example, if your userid was Susan, your password was Wibble! and your Splunk instance was running on, then you would enter

curl -k -u Susan:Wibble! -X POST --data name=admin --data audience=Managers --data-urlencode expires_on=+300d 

Copy your token and keep it safe. There's no way to retrieve it later.
You can test your token works with the following cURL command

curl -k -X POST -s -H "Authorization: Bearer <PUT TOKEN HERE>" https://<HOST>:8089/services/search/jobs -d search="search index=_internal" -d output_mode=json -d exec_mode=oneshot | json_pp

Enough cURL - now we're ready to rock!

Disclaimer: In the interests of being quick and dirty, we are going to encode the host, access token and search string in the app. I feel so dirty, but I'll sacrifice a few principles for your benefit... 

Step 1: Create your node.js app from the command line. For example, if your app is called 'simple', in a new directory called simple, enter 'npm init'.

Step 2: Create a file called main.js and in your favourite editor enter the following: 

// Using core libraries of node.js (no 3rd party npm modules to install)
const https = require('https');
const querystring = require('querystring');

// obvious - but use a Splunk search you've already run in the Splunk app
let mySearchString = 'search index=_internal'; 
// use the token you created in the previous step const token = 'Bearer <TOKEN>'; // set the response to JSON format (it will send XML by default // use the 'oneshot' method to execute the search in one attempt.
// Normal queries would be an asynchronous
// the request would return a Search ID (SID) that you can 
// use to get the results of the search
let postData = querystring.stringify({
    'search': mySearchString,
// Set up the HTTP request
// fill out the HOST and token field
let options = {
    hostname: '<HOST>',
    port: 8089,
    path: '/services/search/jobs',
    method: 'POST',
    rejectUnauthorized: false,
    requestCert: true,
    agent: false,
    body: postData,
    headers: {
        'Content-Type': 'application/json',
        'X-Requested-By': 'STANDALONE',
        'Content-Length': Buffer.byteLength(postData),
        'Authorization': token

// Print out what we have set up

// return an instance of the http.ClientRequest class
const req = https.request(options, (res) => {
    // display the response
    console.log(`STATUS: ${res.statusCode}`);
    console.log(`HEADERS: ${JSON.stringify(res.headers)}`);
    res.on('data', (chunk) => {
      console.log(`BODY: ${chunk}`);
    res.on('end', () => {
      console.log('All done. No more data in response.');
  // Handle any errors
  req.on('error', (e) => {
    console.error(`problem with request: ${e.message}`);
  // Write data to request body

  // signify the end of the request

Step 3: Save the file and then from the command line enter 'node main.js' to run the application. If all goes well you should get a JSON response with your search results.