Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any way via REST to get JSON raw data from Splunk for a given query?

jibiuthaman
Explorer
‎12-29-2014 09:46 AM

Is there any way how I can get JSON raw data from Splunk for a given query?

Consider the following timechart query:

index=* earliest=<from_time> latest=<to_time> | timechart  span=1s count

Key things in the query are: 1. Start/End Time, 2. Time Span (say sec) and 3. Value (say count)

The expected JSON response would be:

{"fields":["_time","count","_span"], "rows":[["2014-12-25T00:00:00.000-06:00","1460981","1"], ..., ["2014-12-25T01:00:00.000-06:00","536889","1"]]}

This is the XHR (ajax calls) for the output_mode=json_rows calls. This requires session and authentication setups.

I’m looking for a RESTful implementation of the same with authentication.

Reply

AlisonHaire
New Member
‎05-17-2018 08:11 PM

If you're looking for a javascript call... here's an example using axios (an npm package i use in my react apps - fetch will also work)

const base_url = ''https://yoursplunkserver.com/servicesNS/admin/search/search/jobs/export";
const auth = {username: 'username', password: 'password'};
const search = 'savedsearch yourSavedSearchName';
const params={'output_mode': 'json_cols', search: search}; //no es6 used for clarity

axios.get(base_url, {auth: auth, params: params})
.then((response) => {
//do something with your data
})
.catch((err) => {
//sth went wrong
}

Hope this helps someone

0 Karma
Reply

dolivasoh
Contributor
‎12-29-2014 11:48 AM

Maybe check out the REST API Basic Tutorial http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT

0 Karma
Reply

dolivasoh
Contributor
‎12-29-2014 11:55 AM

Most specifically the output_mode tag

curl -k -u admin:changeme --data-urlencode search="search index=main earliest=-1m latest=now | timechart count by sourcetype" -d "output_mode=json" https://localhost:8089/servicesNS/admin/search/search/jobs/export

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...