Getting Data In

REST API JSON output only with "result" field (without offset, etc.)

highsplunker
Contributor

Hey guys, could you please help!

I use
curl -k -u 'myUser:myPwd' https://localhost:8089/services/search/jobs/export -d search="search index=myIndex | head 2 | table _time, CLIENT_ID, EVENT_TYPE_NAME " -d output_mode=json

After that i get
{"preview":false,"offset":0,"result":{"_time":"2019-09-16 08:29:35.000 GMT","EVENT_TYPE_NAME":"Log in"}}
{"preview":false,"offset":1,"lastrow":true,"result":{"_time":"2019-09-16 08:29:35.000 GMT","CLIENT_ID":"1207088","EVENT_TYPE_NAME":"Login"}}

I want only "result" field as output. Is that possible?

Maybe another endpoint?.. Can't find.

Tags (2)
0 Karma

Sukisen1981
Champion

what happens if you add this before -d /results/
--get -d output_mode=json -d count=5
Have you tried some permutations of this - curl -u admin:changeme \
-k https://localhost:8089/servicesNS/admin/search/jobs/1423855196.339/results/ \
--get -d output_mode=json -d count=5

ref here - https://docs.splunk.com/Documentation/Splunk/7.3.1/Search/ExportdatausingRESTAPI

highsplunker
Contributor

hi @Sukisen1981!
thanks for your comment!
i read the page you provided, and for some reason i cannot get the results -- not sure what's wrong

(sorry for the huge delay)

best wishes,
rashid

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...