https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18400#M2501 <P>I've tried OData many thanks to Neeraj Luthra. but I'm what I'm trying to do probably doesn't require OData. The problem I'm facing is while OData works nicely out of the box, excel parses the XML it generates in a very verbose manner giving me much more data than I need. I'd rather not have to debug that side of things if Splunk REST API will do the trick for me.</P> Wed, 22 May 2013 09:09:09 GMT leecaf 2013-05-22T09:09:09Z https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18397#M2498 <P>EDIT:<BR /> I've gotten some help from Splunk support team and now can get oneshot blocking calls working using the url below:</P> <P><A href="https://localhost:8089/services/search/jobs?exec_mode=oneshot&amp;output_mode=json&amp;search=%22search">https://localhost:8089/services/search/jobs?exec_mode=oneshot&amp;output_mode=json&amp;search="search</A> index=_internal | head 10"</P> <P>however it is unclear to me how I would invoke a oneshot REST call to a saved service. I'm guessing it would look something like the url below but haven't had any success after playign with a few combinations usually a '404 not found':</P> <P><A href="https://localhost:8089/saved/searches/%7Bname%7D?exec_mode=oneshot&amp;output_mode=json">https://localhost:8089/saved/searches/{name}?exec_mode=oneshot&amp;output_mode=json</A></P> <P>can someone help please?</P> <P>The eventual goal is to be able to import data from splunk into Excel much like how a CSV would be imported.</P> Mon, 29 Apr 2013 10:31:41 GMT https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18397#M2498 leecaf 2013-04-29T10:31:41Z https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18398#M2499 <P>You might find the <A href="http://splunk-base.splunk.com/apps/58162/odata-for-splunk" target="_blank">OData for Splunk</A> app to be a better option.</P> <P>However, to answer your question, it's hard to see from the data you have supplied. It looks like you have "search=index=_internal |head 5", where you would want search index=_internal | head 5 as the specific error message is saying it's missing a search command (i.e. search) before a quote mark.</P> Mon, 28 Sep 2020 13:47:58 GMT https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18398#M2499 dart 2020-09-28T13:47:58Z https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18399#M2500 <P>Thanks, emailed dev for OData.<BR /> corrected typo in my original post but still getting same error</P> Mon, 29 Apr 2013 12:28:21 GMT https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18399#M2500 leecaf 2013-04-29T12:28:21Z https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18400#M2501 <P>I've tried OData many thanks to Neeraj Luthra. but I'm what I'm trying to do probably doesn't require OData. The problem I'm facing is while OData works nicely out of the box, excel parses the XML it generates in a very verbose manner giving me much more data than I need. I'd rather not have to debug that side of things if Splunk REST API will do the trick for me.</P> Wed, 22 May 2013 09:09:09 GMT https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18400#M2501 leecaf 2013-05-22T09:09:09Z https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18401#M2502 <P>What about calling the saved search via the search command itself from the CLI? IE</P> <PRE><CODE>curl -k -u admin:changeme -d 'search="savedsearch \"Errors in the last 24 hours\""' -d "output_mode=json" -d "exec_mode=oneshot" <A href="https://localhost:8089/servicesNS/admin/search/search/jobs/export" target="test_blank">https://localhost:8089/servicesNS/admin/search/search/jobs/export</A> </CODE></PRE> Tue, 11 Jun 2013 16:59:23 GMT https://community.splunk.com/t5/Getting-Data-In/REST-API-oneshot-blocking-saved-search/m-p/18401#M2502 Flynt 2013-06-11T16:59:23Z