Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is a good way to export data from Splunk via rest API?

02sangeet
Engager
‎05-13-2021 11:56 PM

I want to export data from Splunk via rest API, I've been wondering whether there is a good "Splunk export" solution that can help me to send my query output/result to a third part application with the help of rest API

I have created saved serah in Splunk , and now I want to export the output of my saved serach to third party application on regular interval(once a week), I have the API details of that application with me. I checked webhook option but that was not much help since payload is fixed in that and can only be used with Alert type, Can anyone please suggest any other way .

Demo query:

index=main| timechart avg(page)

For Example API:

https://webhook.site/66e9b123-ee72-4621-98bb-4ab23a46d1e8

Happy to clarify more details if required.

Tags (3)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-15-2022 04:55 AM

@ang3loliveira - You have two options:

  1. You have a report/alert already scheduled and running and you want to export the results of last execution.
    1. Use the REST API solution as provided by @aasabatini 
  2. You have report but not schedule and running. 
    1. Use Python SDK to run and get results and then use few lines in python script to send data to where you want to.
    2. https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtorunsearc...
    3. Note that you can do first REST API call also with Python-Splunk-SDK.

 

I hope this helps!!! Karma/upvote would be appreciated!!!

0 Karma
Reply

aasabatini
Motivator
‎05-14-2021 04:06 AM

Hi @02sangeet 

I think the best way to use a data export from rest api is a curl

Example

 

curl -k -u USERNAME:PASSWORD https://SPLUNK_URL:8089/services/search/jobs/export \
        --data-urlencode search='search index="my-index" earliest=0 latest=now | table field1, field2' \
        -d output_mode=csv \
        -d earliest_time='-y@y' \
        -d latest_time='@y' \
        -o output-file.csv

 

in that case the output is CSV but you can use these options

atom | csv | json | json_cols | json_rows | raw | xml

here additional documentation

https://docs.splunk.com/Documentation/Splunk/8.1.3/Search/ExportdatausingRESTAPI

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply

ang3loliveira
Loves-to-Learn
‎05-14-2022 07:26 AM

Hi @aasabatini 

Could you please provide an example on how to export the results of a query (alread executed, results saved) to CSV format?

Thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...