Getting Data In

Why am I receiving "Error in 'savedsearch' command" when exporting data using REST API?

BP9906
Builder

http://docs.splunk.com/Documentation/Splunk/6.4.5/Search/ExportdatausingRESTAPI

I read the manual, nothing is working.


curl -s -S -ku admin:password https://IP:8089/servicesNS/-/-/search/jobs/export -d search="| savedsearch "Test Search""

This is not working.

I've URL encoded: | savedsearch "Test Search"
This way the double quotes dont get confused with curl command line.

%7c%20%73%61%76%65%64%73%65%61%72%63%68%20%22%54%65%73%74%20%53%65%61%72%63%68%22%20

So my curl command is:

curl -s -S -ku admin:password https://IP:8089/servicesNS/-/-/search/jobs/export -d search="%7c%20%73%61%76%65%64%73%65%61%72%63%68%20%22%54%65%73%74%20%53%65%61%72%63%68%22%20"

Why doesnt this work?

The saved search was created with an admin ldap user, it shows under a custom app (not search app).
The admin user has full admin access, yet I receive:

Error in 'savedsearch' command: Unable to find saved search named 'Test Search'

Thanks for your help!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Does "Test Search" have a global context?

If not, you'll need to specify the app context when accessing it.

https://localhost:8089/servicesNS/admin/yourApp/search/jobs/export

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...