Hi,
I`m looking to export a scheduled report using the REST API but I`m struggling with the syntax.
I was able to run a new search inside "curl" and export it, but can`t seem to be able to do the same for saved reports.
Would be grateful if someone could help with the syntax for exporting the following report as a CSV file:
curl -k -H "Authorization: Bearer myValidToken" https://myValidDomain.splunkcloud.com:8089/servicesNS/userName/app/saved/searches/%20Test%20/history
Have you tried something like:
curl -k -u admin:password https://splunkcloud.com:8089/servicesNS/-/-/search/v2/jobs/export -d search="| savedsearch Test" -d output_mode=csv
Let me know if that works on Splunk Cloud.
Have you tried something like:
curl -k -u admin:password https://splunkcloud.com:8089/servicesNS/-/-/search/v2/jobs/export -d search="| savedsearch Test" -d output_mode=csv
Let me know if that works on Splunk Cloud.
How would I get this working for reports with a longer name format, for example:
[REPORT] This is a test report
I`ve tried to URL encode the characters without success:
%5BREPORT%5D%20This%20is%20a%20test%20report
Please ignore my previous answer, the report was set to private and this does in fact work.
I had to add the "-o" (output) flag and specify where the file should go to as I didn`t know what the default location was.
Unfortunately it doesn`t work. I`m getting
Error in 'savedsearch' command: Unable to find saved search named 'Test'
Although the report definitely exists and is scheduled to run.
Try something like:
... search="| savedsearch 'This is a test report'"....
Or the other way around:
... search='| savedsearch "This is a test resport"' ...
One of those should work.
Here is a simple bash script:
#!/bin/bash
# A simple bash script example of how to get notable events details from REST API
# Author = Gregg Woodcock <Woodcock@Splunxter.com>
USERID="admin"
PASSWORD="YOUR_PASSWORD_HERE"
HOST="YOUR_HOST_HERE"
# EXECUTE search and retrieve SID
SID=$(curl -u ${USERID}:${PASSWORD} \
-k https://${HOST}:8089/services/search/jobs \
-d search='| `es_notable_events`' \
| grep "sid" | awk -F\> '{print $2}' | awk -F\< '{print $1}')
echo "SID=${SID}"
# WAIT for search to finish
isDone=0
until [ ${isDone} -eq 1 ]; do
# WAIT for search to finish (this should be a test loop with a timeout)
echo "Wating..."
sleep 2
isDone=$(curl -u ${USERID}:${PASSWORD} \
-k https://${HOST}:8089/services/search/jobs/${SID} \
| grep 's:key name="isDone"' | awk -F\> '{print $2}' | awk -F\< '{print $1}')
echo "isDone=${isDone}"
done
# RETRIEVE the search results (now that job isDone)
curl -u ${USERID}:${PASSWORD} \
-k https://${HOST}:8089/services/search/jobs/${SID}/results/ \
--get -d output_mode=csv
# This endpoint returns results only when your search has completed.
# You can also get output from the events endpoint
# located at /search/jobs/{search_id}/events/
# while your search is still running.
# For complete search results, use the results endpoint.
# You can return search results in JSON, CSV or XML
# by setting the output_mode parameter.
# By default, results are returned in XML format.
@woodcock What is the best way to modify this script to support the API token approach? I have tried a few different versions, but am unable to get it to work properly.
So....something like:
curl -H "Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2......."
A simple bash script to do what?
To exercise the rest endpoint in its most basic use.
Hi Gregg,
This is amazing, thanks for sharing, wish I could mark more than one answer as a solution.
joao_amorim answer was addressing my basic question, but I can see how I can expand on the REST API topic using your solution.
Many thanks,
Toma
There is always the Karma button...
The saved/searches/<foo>/history endpoint does not have an option for returning the response as a CSV.
Hi Rich,
I guess my question is what is the correct endpoint and what is the correct syntax for exporting the report as a CSV file ?
I`ve looked at the "REST API Reference Manual", but couldn't really find my answer.
Many thanks.
There isn't one. Search results can be exported in CSV format, but not other output.