Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any way via REST to get JSON raw data from Splunk for a given query?

jibiuthaman
Explorer
‎12-29-2014 09:46 AM

Is there any way how I can get JSON raw data from Splunk for a given query?

Consider the following timechart query:

index=* earliest=<from_time> latest=<to_time> | timechart  span=1s count

Key things in the query are: 1. Start/End Time, 2. Time Span (say sec) and 3. Value (say count)

The expected JSON response would be:

{"fields":["_time","count","_span"], "rows":[["2014-12-25T00:00:00.000-06:00","1460981","1"], ..., ["2014-12-25T01:00:00.000-06:00","536889","1"]]}

This is the XHR (ajax calls) for the output_mode=json_rows calls. This requires session and authentication setups.

I’m looking for a RESTful implementation of the same with authentication.

Reply

AlisonHaire
New Member
‎05-17-2018 08:11 PM

If you're looking for a javascript call... here's an example using axios (an npm package i use in my react apps - fetch will also work)

const base_url = ''https://yoursplunkserver.com/servicesNS/admin/search/search/jobs/export";
const auth = {username: 'username', password: 'password'};
const search = 'savedsearch yourSavedSearchName';
const params={'output_mode': 'json_cols', search: search}; //no es6 used for clarity

axios.get(base_url, {auth: auth, params: params})
.then((response) => {
//do something with your data
})
.catch((err) => {
//sth went wrong
}

Hope this helps someone

0 Karma
Reply

dolivasoh
Contributor
‎12-29-2014 11:48 AM

Maybe check out the REST API Basic Tutorial http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT

0 Karma
Reply

dolivasoh
Contributor
‎12-29-2014 11:55 AM

Most specifically the output_mode tag

curl -k -u admin:changeme --data-urlencode search="search index=main earliest=-1m latest=now | timechart count by sourcetype" -d "output_mode=json" https://localhost:8089/servicesNS/admin/search/search/jobs/export

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...