Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use PowerShell to export a saved search using invoke-restmethod?

vandelin
New Member
‎05-29-2020 08:20 AM

Hi All,

I need to turn this:

curl --insecure -k -u username "https://api.splunk.company.com:443/servicesNS/username/sse_sitescope_prod_v01/saved/searches/apisear..."

Into a PowerShell equivalent:

api.splunk.company.com:443 is not trusted, as it does not have an SSL cert.

I've read many examples, I just want to export this saved search using invoke-restmethod

Can anyone assist?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2020 09:49 AM

If you use powershell version 6 then you can add -SkipCertificateCheck.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vandelin
New Member
‎05-29-2020 10:52 AM

I appreciate the response.

I just can't seem to get the entire invoke-restmethod command down pat

I can work with the cert issue , i see where you can search splunk with invoke-restmethod.

I want to be able to have powershell invoke-restmethod and export a saved search

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2020 11:38 AM

If you don't have powershell 6 then there are other ways to avoid checking certificates. Google can help find them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vandelin
New Member
‎05-29-2020 11:45 AM

i was just mentioning that my curl command had --insecure because it will throw ssl errors at you and not run if you dont because the site is not trusted/has an ssl cert

Skipping certs is just one line that I already have

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

But I'm to form the entire 10 other lines, i cant find a good example to work with when exporting a saved search 

$search=""https://api.splunk.company.com:443/services/search/jobs/scheduler__username_c3NlX3NpdGVzY29wZV9wcm9kX3YwMQ__usernameapisearchv3_at_1590751800_36332_8CEC1426-6D01-4FD1-8F3C-31B0C726D471/results?count=0" <-- im trying to do something like this 

#$search = $servar # Cmdlet handles urlencoding

       $body = @{

       search = $search

       output_mode = "json"

       earliest_time = "-31d"

       latest_time = "-5d"

       }

       Invoke-RestMethod -Method get -Uri $url -Credential $cred -Body $body

Regards,

0 Karma
Reply

vandelin
New Member
‎05-29-2020 11:46 AM

I don't know why it formatted it like this, but, it is what it is

0 Karma
Reply

vandelin
New Member
‎05-29-2020 09:43 AM

In the end i want the history for the sid and then i want to call:
curl --insecure -u username "https://api.splunk.company.com:443/services/search/jobs/Enter sid/results?count=0"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...