Quick and dirty Splunk search in powershell

splunksearch.ps1

# powershell 5.1

$AssemblyBuilder = ([AppDomain]::CurrentDomain).DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('IgnoreCerts')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('IgnoreCerts', $false)
$TypeBuilder = $ModuleBuilder.DefineType('IgnoreCerts', 'AutoLayout, AnsiClass, Class, Public, BeforeFieldInit', [System.Object], [System.Net.ICertificatePolicy])
$TypeBuilder.DefineDefaultConstructor('PrivateScope, Public, HideBySig, SpecialName, RTSpecialName') | Out-Null
$MethodInfo = [System.Net.ICertificatePolicy].GetMethod('CheckValidationResult')
$MethodBuilder = $TypeBuilder.DefineMethod($MethodInfo.Name, 'PrivateScope, Public, Virtual, HideBySig, VtableLayoutMask', $MethodInfo.CallingConvention, $MethodInfo.ReturnType, ([Type[]] ($MethodInfo.GetParameters() | ForEach-Object {$_.ParameterType})))
$ILGen = $MethodBuilder.GetILGenerator()
$ILGen.Emit([Reflection.Emit.Opcodes]::Ldc_I4_1)
$ILGen.Emit([Reflection.Emit.Opcodes]::Ret)
$TypeBuilder.CreateType() | Out-Null

[System.Net.ServicePointManager]::CertificatePolicy = New-Object IgnoreCerts

$base_url = 'https://yoursplunkserverfqdn:8089'
$auth_endpoint = "$base_url/services/auth/login"
$search_endpoint = "$base_url/servicesNS/nobody/search/search/jobs/export"

$cred = Get-Credential

$res = Invoke-WebRequest -Method Post -Uri $auth_endpoint -ContentType 'application/x-www-form-urlencoded' -Body @{username = $cred.UserName; password = $cred.GetNetworkCredential().password} -TimeoutSec 30 -ErrorAction Stop

$sessionKey = if ($res.StatusCode -eq 200) {
    ([xml]$res.Content).ChildNodes.sessionKey
}
else {
    throw "$($res.RawContent)"
}

$res = Invoke-WebRequest -Method Post -Uri $search_endpoint -Headers @{Authorization = "Splunk $sessionKey"} -Body @{
    search = "search * | head 5"
    output_mode = "json"
} -TimeoutSec 30 -ErrorAction Stop

$content = if ($res.StatusCode -eq 200) {
    $res.Content
}
else {
    throw "$($res.RawContent)"
}

$content -split "`n" | ForEach-Object { $_ | ConvertFrom-Json | Select-Object -ExpandProperty result }

splunksearch1.ps1

# powershell 6.0

$base_url = 'https://yoursplunkserverfqdn:8089'
$auth_endpoint = "$base_url/services/auth/login"
$search_endpoint = "$base_url/servicesNS/nobody/search/search/jobs/export"

$cred = Get-Credential

$res = Invoke-WebRequest -Method Post -Uri $auth_endpoint -ContentType 'application/x-www-form-urlencoded' -Body @{username = $cred.UserName; password = $cred.GetNetworkCredential().password} -TimeoutSec 30 -ErrorAction Stop -SkipCertificateCheck

$sessionKey = if ($res.StatusCode -eq 200) {
    ([xml]$res.Content).ChildNodes.sessionKey
}
else {
    throw "$($res.RawContent)"
}


$res = Invoke-WebRequest -Method Post -Uri $search_endpoint -Headers @{Authorization = "Splunk $sessionKey"} -Body @{
    search = "search * | head 5"
    output_mode = "json"
} -TimeoutSec 30 -ErrorAction Stop -SkipCertificateCheck

$content = if ($res.StatusCode -eq 200) {
    $res.Content
}
else {
    throw "$($res.RawContent)"
}

$content -split "`n" | ForEach-Object { $_ | ConvertFrom-Json | Select-Object -ExpandProperty result }