Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is my Splunk events search not working with cu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mukesh2019
Explorer
12-19-2018
07:10 AM
Hi Everybody,
I was trying to run the below search events commands with Splunk but I'm getting incorrect data.The count should have been 747, but its 0. Please suggest.
curl -k -u user:pass https://host.domain.com:8089/services/search/jobs --get -d search="index=1234_nontricare source=/abc/logs/cpp*atch/aep/bw-monitoring-gsspcc.log| stats count as Total" -d output_mode=json
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>jobs</title>
<id>https://host.domain.com:8089/services/search/jobs</id>
<updated>2018-12-19T09:56:22-05:00</updated>
<generator build="59c8927def0f" version="6.5.0"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>0</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
</feed>
Thanks in Advance .Apologies for not editing properly.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whrg
Motivator
12-19-2018
10:23 AM
Hello @mukesh2019,
The services/search/jobs endpoint, which you are using, is for 1) getting details of all current searches (GET) or 2) starting a new search and return the search ID (POST).
It looks like you want to run a oneshot search. I think you are better off here with the services/search/jobs/export endpoint.
Here is an example:
curl -k -u user:password https://yoursplunkserver:8089/services/search/jobs/export -d search="search index%3D_internal | head 5" -d output_mode=csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whrg
Motivator
12-19-2018
10:23 AM
Hello @mukesh2019,
The services/search/jobs endpoint, which you are using, is for 1) getting details of all current searches (GET) or 2) starting a new search and return the search ID (POST).
It looks like you want to run a oneshot search. I think you are better off here with the services/search/jobs/export endpoint.
Here is an example:
curl -k -u user:password https://yoursplunkserver:8089/services/search/jobs/export -d search="search index%3D_internal | head 5" -d output_mode=csv
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
