Other Usage

How to export reports using the REST API?

tomapatan
Communicator

Hi,

I`m looking to export a scheduled report using the REST API but I`m struggling with the syntax.

I was able to run a new search inside "curl" and export it, but can`t seem to be able to do the same for saved reports.

Would be grateful if someone could help with the syntax for exporting the following report as a CSV file:

 

 

curl -k -H "Authorization: Bearer myValidToken" https://myValidDomain.splunkcloud.com:8089/servicesNS/userName/app/saved/searches/%20Test%20/history

 

 

 

Labels (1)
0 Karma
1 Solution

joao_amorim
Communicator

@tomapatan 

Have you tried something like:

curl -k -u admin:password https://splunkcloud.com:8089/servicesNS/-/-/search/v2/jobs/export -d search="| savedsearch Test" -d output_mode=csv

 Let me know if that works on Splunk Cloud.

View solution in original post

0 Karma

joao_amorim
Communicator

@tomapatan 

Have you tried something like:

curl -k -u admin:password https://splunkcloud.com:8089/servicesNS/-/-/search/v2/jobs/export -d search="| savedsearch Test" -d output_mode=csv

 Let me know if that works on Splunk Cloud.

0 Karma

tomapatan
Communicator

How would I get this working for reports with a longer name format, for example:

[REPORT] This is a test report

I`ve tried to URL encode the characters without success:

%5BREPORT%5D%20This%20is%20a%20test%20report

 

0 Karma

tomapatan
Communicator

Please ignore my previous answer, the report was set to private and this does in fact work.
I had to add the "-o" (output) flag and specify where the file should go to as I didn`t know what the default location was.

0 Karma

tomapatan
Communicator

Unfortunately it doesn`t work. I`m getting

Error in 'savedsearch' command: Unable to find saved search named 'Test'

Although the report definitely exists and is scheduled to run.

0 Karma

joao_amorim
Communicator

Try something like:

... search="| savedsearch 'This is a test report'"....

Or the other way around:

... search='| savedsearch "This is a test resport"' ...

One of those should work.

0 Karma

woodcock
Esteemed Legend

Here is a simple bash script:

#!/bin/bash
# A simple bash script example of how to get notable events details from REST API
# Author = Gregg Woodcock <Woodcock@Splunxter.com>

USERID="admin"
PASSWORD="YOUR_PASSWORD_HERE"
HOST="YOUR_HOST_HERE"

# EXECUTE search and retrieve SID
SID=$(curl -u ${USERID}:${PASSWORD} \
-k https://${HOST}:8089/services/search/jobs \
-d search='| `es_notable_events`' \
| grep "sid" | awk -F\> '{print $2}' | awk -F\< '{print $1}')
echo "SID=${SID}"

# WAIT for search to finish
isDone=0
until [ ${isDone} -eq 1 ]; do
# WAIT for search to finish (this should be a test loop with a timeout)
echo "Wating..."
sleep 2
isDone=$(curl -u ${USERID}:${PASSWORD} \
-k https://${HOST}:8089/services/search/jobs/${SID} \
| grep 's:key name="isDone"' | awk -F\> '{print $2}' | awk -F\< '{print $1}')
echo "isDone=${isDone}"
done

# RETRIEVE the search results (now that job isDone)
curl -u ${USERID}:${PASSWORD} \
-k https://${HOST}:8089/services/search/jobs/${SID}/results/ \
--get -d output_mode=csv

# This endpoint returns results only when your search has completed.
# You can also get output from the events endpoint
# located at /search/jobs/{search_id}/events/
# while your search is still running.
# For complete search results, use the results endpoint.

# You can return search results in JSON, CSV or XML
# by setting the output_mode parameter.
# By default, results are returned in XML format.

qcjacobo2577
Path Finder

@woodcock What is the best way to modify this script to support the API token approach?  I have tried a few different versions, but am unable to get it to work properly.

So....something like: 

curl -H "Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2......."

0 Karma

gerrysr6
Explorer

A simple bash script to do what?

0 Karma

woodcock
Esteemed Legend

To exercise the rest endpoint in its most basic use.

0 Karma

tomapatan
Communicator

Hi Gregg,

This is amazing, thanks for sharing, wish I could mark more than one answer as a solution.
joao_amorim answer was addressing my basic question, but I can see how I can expand on the REST API topic using your solution.

Many thanks,

Toma

Tags (1)

woodcock
Esteemed Legend

There is always the Karma button...

richgalloway
SplunkTrust
SplunkTrust

The saved/searches/<foo>/history endpoint does not have an option for returning the response as a CSV.

---
If this reply helps you, Karma would be appreciated.
0 Karma

tomapatan
Communicator

Hi Rich,

I guess my question is what is the correct endpoint and what is the correct syntax for exporting the report as a CSV file ?

I`ve looked at the "REST API Reference Manual", but couldn't really find my answer.

Many thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There isn't one.  Search results can be exported in CSV format, but not other output.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...