Reporting

How to use PowerShell to export a saved search using invoke-restmethod?

vandelin
New Member

Hi All,

I need to turn this:

curl --insecure -k -u username "https://api.splunk.company.com:443/servicesNS/username/sse_sitescope_prod_v01/saved/searches/apisear..."

Into a PowerShell equivalent:

api.splunk.company.com:443 is not trusted, as it does not have an SSL cert.

I've read many examples, I just want to export this saved search using invoke-restmethod

Can anyone assist?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you use powershell version 6 then you can add -SkipCertificateCheck.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vandelin
New Member

I appreciate the response.

I just can't seem to get the entire invoke-restmethod command down pat

I can work with the cert issue , i see where you can search splunk with invoke-restmethod.

I want to be able to have powershell invoke-restmethod and export a saved search

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you don't have powershell 6 then there are other ways to avoid checking certificates. Google can help find them.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vandelin
New Member

i was just mentioning that my curl command had --insecure because it will throw ssl errors at you and not run if you dont because the site is not trusted/has an ssl cert

Skipping certs is just one line that I already have

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

But I'm to form the entire 10 other lines, i cant find a good example to work with when exporting a saved search

$search=""https://api.splunk.company.com:443/services/search/jobs/scheduler__username_c3NlX3NpdGVzY29wZV9wcm9kX3YwMQ__usernameapisearchv3_at_1590751800_36332_8CEC1426-6D01-4FD1-8F3C-31B0C726D471/results?count=0" <-- im trying to do something like this 

#$search = $servar # Cmdlet handles urlencoding

       $body = @{

       search = $search

       output_mode = "json"

       earliest_time = "-31d"

       latest_time = "-5d"

       }

       Invoke-RestMethod -Method get -Uri $url -Credential $cred -Body $body

Regards,

0 Karma

vandelin
New Member

I don't know why it formatted it like this, but, it is what it is

0 Karma

vandelin
New Member

In the end i want the history for the sid and then i want to call:
curl --insecure -u username "https://api.splunk.company.com:443/services/search/jobs/Enter sid/results?count=0"

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...