Other Usage

How to export reports using the REST API?

tomapatan
Communicator

Hi,

I`m looking to export a scheduled report using the REST API but I`m struggling with the syntax.

I was able to run a new search inside "curl" and export it, but can`t seem to be able to do the same for saved reports.

Would be grateful if someone could help with the syntax for exporting the following report as a CSV file:

 

 

curl -k -H "Authorization: Bearer myValidToken" https://myValidDomain.splunkcloud.com:8089/servicesNS/userName/app/saved/searches/%20Test%20/history

 

 

 

Labels (1)
0 Karma
1 Solution

joao_amorim
Communicator

@tomapatan 

Have you tried something like:

curl -k -u admin:password https://splunkcloud.com:8089/servicesNS/-/-/search/v2/jobs/export -d search="| savedsearch Test" -d output_mode=csv

 Let me know if that works on Splunk Cloud.

View solution in original post

0 Karma

joao_amorim
Communicator

@tomapatan 

Have you tried something like:

curl -k -u admin:password https://splunkcloud.com:8089/servicesNS/-/-/search/v2/jobs/export -d search="| savedsearch Test" -d output_mode=csv

 Let me know if that works on Splunk Cloud.

0 Karma

tomapatan
Communicator

How would I get this working for reports with a longer name format, for example:

[REPORT] This is a test report

I`ve tried to URL encode the characters without success:

%5BREPORT%5D%20This%20is%20a%20test%20report

 

0 Karma

tomapatan
Communicator

Please ignore my previous answer, the report was set to private and this does in fact work.
I had to add the "-o" (output) flag and specify where the file should go to as I didn`t know what the default location was.

0 Karma

tomapatan
Communicator

Unfortunately it doesn`t work. I`m getting

Error in 'savedsearch' command: Unable to find saved search named 'Test'

Although the report definitely exists and is scheduled to run.

0 Karma

joao_amorim
Communicator

Try something like:

... search="| savedsearch 'This is a test report'"....

Or the other way around:

... search='| savedsearch "This is a test resport"' ...

One of those should work.

0 Karma

woodcock
Esteemed Legend

Here is a simple bash script:

#!/bin/bash
# A simple bash script example of how to get notable events details from REST API
# Author = Gregg Woodcock <Woodcock@Splunxter.com>

USERID="admin"
PASSWORD="YOUR_PASSWORD_HERE"
HOST="YOUR_HOST_HERE"

# EXECUTE search and retrieve SID
SID=$(curl -u ${USERID}:${PASSWORD} \
-k https://${HOST}:8089/services/search/jobs \
-d search='| `es_notable_events`' \
| grep "sid" | awk -F\> '{print $2}' | awk -F\< '{print $1}')
echo "SID=${SID}"

# WAIT for search to finish
isDone=0
until [ ${isDone} -eq 1 ]; do
# WAIT for search to finish (this should be a test loop with a timeout)
echo "Wating..."
sleep 2
isDone=$(curl -u ${USERID}:${PASSWORD} \
-k https://${HOST}:8089/services/search/jobs/${SID} \
| grep 's:key name="isDone"' | awk -F\> '{print $2}' | awk -F\< '{print $1}')
echo "isDone=${isDone}"
done

# RETRIEVE the search results (now that job isDone)
curl -u ${USERID}:${PASSWORD} \
-k https://${HOST}:8089/services/search/jobs/${SID}/results/ \
--get -d output_mode=csv

# This endpoint returns results only when your search has completed.
# You can also get output from the events endpoint
# located at /search/jobs/{search_id}/events/
# while your search is still running.
# For complete search results, use the results endpoint.

# You can return search results in JSON, CSV or XML
# by setting the output_mode parameter.
# By default, results are returned in XML format.

qcjacobo2577
Path Finder

@woodcock What is the best way to modify this script to support the API token approach?  I have tried a few different versions, but am unable to get it to work properly.

So....something like: 

curl -H "Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2......."

0 Karma

gerrysr6
Explorer

A simple bash script to do what?

0 Karma

woodcock
Esteemed Legend

To exercise the rest endpoint in its most basic use.

0 Karma

tomapatan
Communicator

Hi Gregg,

This is amazing, thanks for sharing, wish I could mark more than one answer as a solution.
joao_amorim answer was addressing my basic question, but I can see how I can expand on the REST API topic using your solution.

Many thanks,

Toma

Tags (1)

woodcock
Esteemed Legend

There is always the Karma button...

richgalloway
SplunkTrust
SplunkTrust

The saved/searches/<foo>/history endpoint does not have an option for returning the response as a CSV.

---
If this reply helps you, Karma would be appreciated.
0 Karma

tomapatan
Communicator

Hi Rich,

I guess my question is what is the correct endpoint and what is the correct syntax for exporting the report as a CSV file ?

I`ve looked at the "REST API Reference Manual", but couldn't really find my answer.

Many thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There isn't one.  Search results can be exported in CSV format, but not other output.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...