topic Splunk API Script Help in Splunk Search https://community.splunk.com/t5/Splunk-Search/Splunk-API-Script-Help/m-p/668913#M229443 <P>All,</P><P>Leveraging the following article (<A href="https://community.splunk.com/t5/Other-Usage/How-to-export-reports-using-the-REST-API/m-p/640406/highlight/false#M475" target="_blank" rel="noopener">https://community.splunk.com/t5/Other-Usage/How-to-export-reports-using-the-REST-API/m-p/640406/highlight/false#M475</A>) I was able to successfully manipulate the script to:</P><P>1. Run using an API token (as opposed to credentials).</P><P>2. Get it to run a search I am interested in returning data from.</P><P>I am however running into an error with my search (shown below).</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;response&gt; &lt;messages&gt; &lt;msg type="ERROR"&gt;Unparsable URI-encoded request data&lt;/msg&gt; &lt;/messages&gt; &lt;/response&gt;</LI-CODE><P>&nbsp;</P><P>&nbsp;The script itself now looks like this (I have removed the token and obscured the Splunk endpoint for obvious reasons.</P><P>&nbsp;</P><LI-CODE lang="markup">#!/bin/bash # A simple bash script example of how to get notable events details from REST API # EXECUTE search and retrieve SID SID=$(curl -H "Authorization: Bearer &lt;token ID here&gt;" -k https://host.domain.com:8089/services/search/jobs -d search=" search index=index sourcetype="sourcetype" source="source" [ search index="index" sourcetype="sourcetype" source="source" deleted_at="null" | rename uuid AS host_uuid | stats count by host_uuid | fields host_uuid ] | rename data.id AS Data_ID host_uuid AS Host_ID port AS Network_Port | mvexpand data.xrefs{}.type | strcat Host_ID : Data_ID : Network_Port Custom_ID_1 | strcat Host_ID : Data_ID Custom_ID_2 | stats latest(*) as * by Custom_ID_1 | search state!="fixed" | search category!="informational" | eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S")" &lt;removed some of the search for brevity&gt; \ | grep "sid" | awk -F\&gt; '{print $2}' | awk -F\&lt; '{print $1}') echo "SID=${SID}" Omitted the remaining portion of the script for brevity....</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>It is at this point shown in brackets (| eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S") that I am getting the error in question.</P><P>The search returns fine up to the point where I am converting time ---- I tried escaping using "\", but that did not seem to help. I am sure I am missing something simple and looking for some help.</P> Thu, 16 Nov 2023 19:50:32 GMT qcjacobo2577 2023-11-16T19:50:32Z Splunk API Script Help https://community.splunk.com/t5/Splunk-Search/Splunk-API-Script-Help/m-p/668913#M229443 <P>All,</P><P>Leveraging the following article (<A href="https://community.splunk.com/t5/Other-Usage/How-to-export-reports-using-the-REST-API/m-p/640406/highlight/false#M475" target="_blank" rel="noopener">https://community.splunk.com/t5/Other-Usage/How-to-export-reports-using-the-REST-API/m-p/640406/highlight/false#M475</A>) I was able to successfully manipulate the script to:</P><P>1. Run using an API token (as opposed to credentials).</P><P>2. Get it to run a search I am interested in returning data from.</P><P>I am however running into an error with my search (shown below).</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;response&gt; &lt;messages&gt; &lt;msg type="ERROR"&gt;Unparsable URI-encoded request data&lt;/msg&gt; &lt;/messages&gt; &lt;/response&gt;</LI-CODE><P>&nbsp;</P><P>&nbsp;The script itself now looks like this (I have removed the token and obscured the Splunk endpoint for obvious reasons.</P><P>&nbsp;</P><LI-CODE lang="markup">#!/bin/bash # A simple bash script example of how to get notable events details from REST API # EXECUTE search and retrieve SID SID=$(curl -H "Authorization: Bearer &lt;token ID here&gt;" -k https://host.domain.com:8089/services/search/jobs -d search=" search index=index sourcetype="sourcetype" source="source" [ search index="index" sourcetype="sourcetype" source="source" deleted_at="null" | rename uuid AS host_uuid | stats count by host_uuid | fields host_uuid ] | rename data.id AS Data_ID host_uuid AS Host_ID port AS Network_Port | mvexpand data.xrefs{}.type | strcat Host_ID : Data_ID : Network_Port Custom_ID_1 | strcat Host_ID : Data_ID Custom_ID_2 | stats latest(*) as * by Custom_ID_1 | search state!="fixed" | search category!="informational" | eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S")" &lt;removed some of the search for brevity&gt; \ | grep "sid" | awk -F\&gt; '{print $2}' | awk -F\&lt; '{print $1}') echo "SID=${SID}" Omitted the remaining portion of the script for brevity....</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>It is at this point shown in brackets (| eval unixtime=strptime(first_found,"%Y-%m-%dT%H:%M:%S") that I am getting the error in question.</P><P>The search returns fine up to the point where I am converting time ---- I tried escaping using "\", but that did not seem to help. I am sure I am missing something simple and looking for some help.</P> Thu, 16 Nov 2023 19:50:32 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-API-Script-Help/m-p/668913#M229443 qcjacobo2577 2023-11-16T19:50:32Z Re: Splunk API Script Help https://community.splunk.com/t5/Splunk-Search/Splunk-API-Script-Help/m-p/668952#M229463 <P>Use the --data-urlencode option instead of -d (--data)</P><LI-CODE lang="markup">curl -H "Authorization: Bearer &lt;token ID here&gt;" -k https://host.domain.com:8089/services/search/jobs --data-urlencode search='&lt;your search term&gt;'</LI-CODE><P>One more thing: SPL uses lots of double quotes. &nbsp;Quote your search with single quotes saves you lots of escapes.</P> Fri, 17 Nov 2023 06:17:46 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-API-Script-Help/m-p/668952#M229463 yuanliu 2023-11-17T06:17:46Z