Run post-process searches with risky commands using the Splunk platform REST API

Explains how risky-command checks apply to post-process searches that run through REST API endpoints.

When you run a post-process search against a search job by using the Splunk platform REST API endpoints, the Splunk platform checks the post-process search for risky commands. If the post-process search includes a risky command, the REST API request is rejected unless you set check_risky_command to false for that request.

Note: Only set check_risky_command to false after you review the post-process search and accept the risk of running the risky command.

For example, the following REST API request creates a search job with a base search that does not include a risky command:

CODE
curl -k -u <username>:<password> https://<host>:8089/services/search/jobs \
  -d output_mode=json \
  -d exec_mode=blocking \
  --data-urlencode search="search index=_internal | head 5"

The response includes a search ID in the sid field, which appears as <sid> in the following examples.

The following REST API request runs a post-process search with the risky command outputlookup. Because the request does not set check_risky_command to false, the Splunk platform rejects the request with an HTTP 403 response:

CODE
curl -k -u <username>:<password> https://<host>:8089/services/search/v2/jobs/<sid>/results_preview \
  -d output_mode=json \
  --data-urlencode search="| outputlookup risky_postprocess_test.csv"

The following is an example response:

JSON
{"messages":[{"type":"risky_command","text":"Found potentially risky commands:outputlookup ","RiskyCommands":"outputlookup "}]}

To run the post-process search after you review and accept the risk, set check_risky_command to false in the REST API request, like this:

CODE
curl -k -u <username>:<password> https://<host>:8089/services/search/v2/jobs/<sid>/results_preview \
  -d output_mode=json \
  -d check_risky_command=false \
  --data-urlencode search="| outputlookup risky_postprocess_test.csv"

When check_risky_command is set to false, the Splunk platform runs the post-process search and returns an HTTP 200 response indicating that the REST API request was successful.