https://community.splunk.com/t5/Getting-Data-In/Is-there-any-way-via-REST-to-get-JSON-raw-data-from-Splunk-for-a/m-p/165724#M33608 <P>Most specifically the output_mode tag</P> <P>curl -k -u admin:changeme --data-urlencode search="search index=main earliest=-1m latest=now | timechart count by sourcetype" -d <STRONG>"output_mode=json"</STRONG> <A href="https://localhost:8089/servicesNS/admin/search/search/jobs/export">https://localhost:8089/servicesNS/admin/search/search/jobs/export</A></P> Mon, 29 Dec 2014 19:55:58 GMT dolivasoh 2014-12-29T19:55:58Z https://community.splunk.com/t5/Getting-Data-In/Is-there-any-way-via-REST-to-get-JSON-raw-data-from-Splunk-for-a/m-p/165722#M33606 <P>Is there any way how I can get JSON raw data from Splunk for a given query?</P> <P>Consider the following timechart query:</P> <PRE><CODE>index=* earliest=&lt;from_time&gt; latest=&lt;to_time&gt; | timechart span=1s count </CODE></PRE> <P>Key things in the query are: 1. Start/End Time, 2. Time Span (say sec) and 3. Value (say count)</P> <P>The expected JSON response would be:</P> <PRE><CODE>{"fields":["_time","count","_span"], "rows":[["2014-12-25T00:00:00.000-06:00","1460981","1"], ..., ["2014-12-25T01:00:00.000-06:00","536889","1"]]} </CODE></PRE> <P>This is the XHR (ajax calls) for the output_mode=json_rows calls. This requires session and authentication setups.</P> <P>I’m looking for a RESTful implementation of the same with authentication.</P> Mon, 28 Sep 2020 18:30:20 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-any-way-via-REST-to-get-JSON-raw-data-from-Splunk-for-a/m-p/165722#M33606 jibiuthaman 2020-09-28T18:30:20Z https://community.splunk.com/t5/Getting-Data-In/Is-there-any-way-via-REST-to-get-JSON-raw-data-from-Splunk-for-a/m-p/165723#M33607 <P>Maybe check out the REST API Basic Tutorial <A href="http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT">http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT</A></P> Mon, 29 Dec 2014 19:48:04 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-any-way-via-REST-to-get-JSON-raw-data-from-Splunk-for-a/m-p/165723#M33607 dolivasoh 2014-12-29T19:48:04Z https://community.splunk.com/t5/Getting-Data-In/Is-there-any-way-via-REST-to-get-JSON-raw-data-from-Splunk-for-a/m-p/165724#M33608 <P>Most specifically the output_mode tag</P> <P>curl -k -u admin:changeme --data-urlencode search="search index=main earliest=-1m latest=now | timechart count by sourcetype" -d <STRONG>"output_mode=json"</STRONG> <A href="https://localhost:8089/servicesNS/admin/search/search/jobs/export">https://localhost:8089/servicesNS/admin/search/search/jobs/export</A></P> Mon, 29 Dec 2014 19:55:58 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-any-way-via-REST-to-get-JSON-raw-data-from-Splunk-for-a/m-p/165724#M33608 dolivasoh 2014-12-29T19:55:58Z https://community.splunk.com/t5/Getting-Data-In/Is-there-any-way-via-REST-to-get-JSON-raw-data-from-Splunk-for-a/m-p/165725#M33609 <P>If you're looking for a javascript call... here's an example using axios (an npm package i use in my react apps - fetch will also work)</P> <PRE><CODE>const base_url = ''https://yoursplunkserver.com/servicesNS/admin/search/search/jobs/export"; const auth = {username: 'username', password: 'password'}; const search = 'savedsearch yourSavedSearchName'; const params={'output_mode': 'json_cols', search: search}; //no es6 used for clarity axios.get(base_url, {auth: auth, params: params}) .then((response) =&gt; { //do something with your data }) .catch((err) =&gt; { //sth went wrong } </CODE></PRE> <P>Hope this helps someone</P> Fri, 18 May 2018 03:11:16 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-any-way-via-REST-to-get-JSON-raw-data-from-Splunk-for-a/m-p/165725#M33609 AlisonHaire 2018-05-18T03:11:16Z