- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I find the results for the cli search t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I have a curl command that runs a saved search and uses output_mode=csv .
What I need to know is where do I get the results from?
Here's the command:
curl -k -u "xxsnypr:xxxxxxx" -L https://splunk.ourdomain.com:8089/services/search/jobs/export -d search=" savedsearch Bluecoat" -d output_mode=csv
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add a -o to your command for "output", then the full path to where you want it.
Example: curl -k -u "xxsnypr:xxxxxxx" -L https://splunk.ourdomain.com:8089/services/search/jobs/export -d search=" savedsearch Bluecoat" -d output_mode=csv -o \var\temp\splunkresults_bluecoat.csv
If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gave the Answer to the above because that was the answer to where the file was going or how to create the file in a specific path.
I got this to work BUT what I had to do was edit my saved search. I changed my saved search to
| table * | fields <fields I wanted>
once I did that and ran the API command again:
curl -k -u "xxsnypr:XXXXXXXXX" -L https://splunk.mydoamin.com:8089/services/search/jobs/export -d search="savedsearch SnyprBlueCoat" -d output_mode=csv -o /home/splunk/test2.csv
I got my csv results. The underlying issue was the saved search's syntax, for some reason it didnt like the:
search to get data| table <fields I want>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add a -o to your command for "output", then the full path to where you want it.
Example: curl -k -u "xxsnypr:xxxxxxx" -L https://splunk.ourdomain.com:8089/services/search/jobs/export -d search=" savedsearch Bluecoat" -d output_mode=csv -o \var\temp\splunkresults_bluecoat.csv
If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
When I do this the report seems to start running and then it jsut drops me back to the command prompt and never creates the .csv file
[me@myhost00 ~]$ curl -k -u "xxsnypr:xxxxxxxx" -L https://splunk.ourdomain.com:8089/services/search/jobs/export -d search=" savedsearch Snypr1" -d output_mode=csv -o /home/splunk/splunkresults_bluecoat.csv
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 42 0 0 0 42 0 0 --:--:-- 0:03:20 --:--:-- 0
[me@myhost00 ~]$ ls
[me@myhost00 ~]$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Make sure the query generates results by testing it in the UI. To me, it looks like the search is running and finds nothing. I say that because a bad search won't spend time, and it spends time. But it received no bytes.
- an FYI: If you run the command where you need the file, you don't need the full path.
If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah the search in the UI returns hundreds of thousands of results.
Yeah I know, I just recalled the previous command so I didnt have to retype it.
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
Enterprise Security Content Update (ESCU) | New Releases
