Why am I receiving "Error in 'savedsearch' command...

BP9906 · ‎01-11-2017

http://docs.splunk.com/Documentation/Splunk/6.4.5/Search/ExportdatausingRESTAPI

I read the manual, nothing is working.

curl -s -S -ku admin:password https://IP:8089/servicesNS/-/-/search/jobs/export -d search="| savedsearch "Test Search""
This is not working.

I've URL encoded: | savedsearch "Test Search"
This way the double quotes dont get confused with curl command line.
%7c%20%73%61%76%65%64%73%65%61%72%63%68%20%22%54%65%73%74%20%53%65%61%72%63%68%22%20
So my curl command is:
curl -s -S -ku admin:password https://IP:8089/servicesNS/-/-/search/jobs/export -d search="%7c%20%73%61%76%65%64%73%65%61%72%63%68%20%22%54%65%73%74%20%53%65%61%72%63%68%22%20"

Why doesnt this work?

The saved search was created with an admin ldap user, it shows under a custom app (not search app).
The admin user has full admin access, yet I receive:

Error in 'savedsearch' command: Unable to find saved search named 'Test Search'

Thanks for your help!

jkat54 · ‎01-11-2017

Does "Test Search" have a global context?

If not, you'll need to specify the app context when accessing it.

https://localhost:8089/servicesNS/admin/yourApp/search/jobs/export

Why am I receiving "Error in 'savedsearch' command" when exporting data using REST API?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?