Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use PowerShell to export a saved search using invoke-restmethod?

vandelin
New Member
‎05-29-2020 08:20 AM

Hi All,

I need to turn this:

curl --insecure -k -u username "https://api.splunk.company.com:443/servicesNS/username/sse_sitescope_prod_v01/saved/searches/apisear..."

Into a PowerShell equivalent:

api.splunk.company.com:443 is not trusted, as it does not have an SSL cert.

I've read many examples, I just want to export this saved search using invoke-restmethod

Can anyone assist?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2020 09:49 AM

If you use powershell version 6 then you can add -SkipCertificateCheck.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vandelin
New Member
‎05-29-2020 10:52 AM

I appreciate the response.

I just can't seem to get the entire invoke-restmethod command down pat

I can work with the cert issue , i see where you can search splunk with invoke-restmethod.

I want to be able to have powershell invoke-restmethod and export a saved search

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2020 11:38 AM

If you don't have powershell 6 then there are other ways to avoid checking certificates. Google can help find them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vandelin
New Member
‎05-29-2020 11:45 AM

i was just mentioning that my curl command had --insecure because it will throw ssl errors at you and not run if you dont because the site is not trusted/has an ssl cert

Skipping certs is just one line that I already have

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

But I'm to form the entire 10 other lines, i cant find a good example to work with when exporting a saved search 

$search=""https://api.splunk.company.com:443/services/search/jobs/scheduler__username_c3NlX3NpdGVzY29wZV9wcm9kX3YwMQ__usernameapisearchv3_at_1590751800_36332_8CEC1426-6D01-4FD1-8F3C-31B0C726D471/results?count=0" <-- im trying to do something like this 

#$search = $servar # Cmdlet handles urlencoding

       $body = @{

       search = $search

       output_mode = "json"

       earliest_time = "-31d"

       latest_time = "-5d"

       }

       Invoke-RestMethod -Method get -Uri $url -Credential $cred -Body $body

Regards,

0 Karma
Reply

vandelin
New Member
‎05-29-2020 11:46 AM

I don't know why it formatted it like this, but, it is what it is

0 Karma
Reply

vandelin
New Member
‎05-29-2020 09:43 AM

In the end i want the history for the sid and then i want to call:
curl --insecure -u username "https://api.splunk.company.com:443/services/search/jobs/Enter sid/results?count=0"

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
Top