http://docs.splunk.com/Documentation/Splunk/6.4.5/Search/ExportdatausingRESTAPI
I read the manual, nothing is working.
curl -s -S -ku admin:password https://IP:8089/servicesNS/-/-/search/jobs/export -d search="| savedsearch "Test Search""
This is not working.
I've URL encoded: | savedsearch "Test Search"
This way the double quotes dont get confused with curl command line.
%7c%20%73%61%76%65%64%73%65%61%72%63%68%20%22%54%65%73%74%20%53%65%61%72%63%68%22%20
So my curl command is:
curl -s -S -ku admin:password https://IP:8089/servicesNS/-/-/search/jobs/export -d search="%7c%20%73%61%76%65%64%73%65%61%72%63%68%20%22%54%65%73%74%20%53%65%61%72%63%68%22%20"
Why doesnt this work?
The saved search was created with an admin ldap user, it shows under a custom app (not search app).
The admin user has full admin access, yet I receive:
Error in 'savedsearch' command: Unable to find saved search named 'Test Search'
Thanks for your help!
Does "Test Search" have a global context?
If not, you'll need to specify the app context when accessing it.
https://localhost:8089/servicesNS/admin/yourApp/search/jobs/export