Reporting

How to use PowerShell to export a saved search using invoke-restmethod?

vandelin
New Member

Hi All,

I need to turn this:

curl --insecure -k -u username "https://api.splunk.company.com:443/servicesNS/username/sse_sitescope_prod_v01/saved/searches/apisear..."

Into a PowerShell equivalent:

api.splunk.company.com:443 is not trusted, as it does not have an SSL cert.

I've read many examples, I just want to export this saved search using invoke-restmethod

Can anyone assist?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you use powershell version 6 then you can add -SkipCertificateCheck.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vandelin
New Member

I appreciate the response.

I just can't seem to get the entire invoke-restmethod command down pat

I can work with the cert issue , i see where you can search splunk with invoke-restmethod.

I want to be able to have powershell invoke-restmethod and export a saved search

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you don't have powershell 6 then there are other ways to avoid checking certificates. Google can help find them.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vandelin
New Member

i was just mentioning that my curl command had --insecure because it will throw ssl errors at you and not run if you dont because the site is not trusted/has an ssl cert

Skipping certs is just one line that I already have

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

But I'm to form the entire 10 other lines, i cant find a good example to work with when exporting a saved search

$search=""https://api.splunk.company.com:443/services/search/jobs/scheduler__username_c3NlX3NpdGVzY29wZV9wcm9kX3YwMQ__usernameapisearchv3_at_1590751800_36332_8CEC1426-6D01-4FD1-8F3C-31B0C726D471/results?count=0" <-- im trying to do something like this 

#$search = $servar # Cmdlet handles urlencoding

       $body = @{

       search = $search

       output_mode = "json"

       earliest_time = "-31d"

       latest_time = "-5d"

       }

       Invoke-RestMethod -Method get -Uri $url -Credential $cred -Body $body

Regards,

0 Karma

vandelin
New Member

I don't know why it formatted it like this, but, it is what it is

0 Karma

vandelin
New Member

In the end i want the history for the sid and then i want to call:
curl --insecure -u username "https://api.splunk.company.com:443/services/search/jobs/Enter sid/results?count=0"

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...