Getting Data In

How do I find the results for the cli search that output_mode is csv

tkw03
Communicator

Hello

I have a curl command that runs a saved search and uses output_mode=csv .

What I need to know is where do I get the results from?

Here's the command:

curl -k -u "xxsnypr:xxxxxxx" -L https://splunk.ourdomain.com:8089/services/search/jobs/export -d search=" savedsearch Bluecoat" -d output_mode=csv

Thanks!

0 Karma
1 Solution

efavreau
Motivator

Add a -o to your command for "output", then the full path to where you want it.
Example: curl -k -u "xxsnypr:xxxxxxx" -L https://splunk.ourdomain.com:8089/services/search/jobs/export -d search=" savedsearch Bluecoat" -d output_mode=csv -o \var\temp\splunkresults_bluecoat.csv

###

If this reply helps you, an upvote would be appreciated.

View solution in original post

tkw03
Communicator

Gave the Answer to the above because that was the answer to where the file was going or how to create the file in a specific path.

I got this to work BUT what I had to do was edit my saved search. I changed my saved search to

 | table * | fields <fields I wanted>

once I did that and ran the API command again:

curl -k -u "xxsnypr:XXXXXXXXX" -L https://splunk.mydoamin.com:8089/services/search/jobs/export -d search="savedsearch SnyprBlueCoat" -d output_mode=csv -o /home/splunk/test2.csv

I got my csv results. The underlying issue was the saved search's syntax, for some reason it didnt like the:

search to get data| table <fields I want>
0 Karma

efavreau
Motivator

Add a -o to your command for "output", then the full path to where you want it.
Example: curl -k -u "xxsnypr:xxxxxxx" -L https://splunk.ourdomain.com:8089/services/search/jobs/export -d search=" savedsearch Bluecoat" -d output_mode=csv -o \var\temp\splunkresults_bluecoat.csv

###

If this reply helps you, an upvote would be appreciated.

tkw03
Communicator

Hello

When I do this the report seems to start running and then it jsut drops me back to the command prompt and never creates the .csv file

[me@myhost00 ~]$ curl -k -u "xxsnypr:xxxxxxxx" -L https://splunk.ourdomain.com:8089/services/search/jobs/export -d search=" savedsearch Snypr1" -d output_mode=csv -o /home/splunk/splunkresults_bluecoat.csv
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    42    0     0    0    42      0      0 --:--:--  0:03:20 --:--:--     0
[me@myhost00 ~]$ ls
[me@myhost00 ~]$
0 Karma

efavreau
Motivator
  1. Make sure the query generates results by testing it in the UI. To me, it looks like the search is running and finds nothing. I say that because a bad search won't spend time, and it spends time. But it received no bytes.
  2. an FYI: If you run the command where you need the file, you don't need the full path.
###

If this reply helps you, an upvote would be appreciated.
0 Karma

tkw03
Communicator

Yeah the search in the UI returns hundreds of thousands of results.

Yeah I know, I just recalled the previous command so I didnt have to retype it.

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...