export search results using curl

jonathanfalconi · ‎09-25-2013

Hi,
I was advised that curl was a workaround used for exporting search results to csv.
Problem is I do not know how to export specific jobs in the jobs manager and I need assistance with the correct syntax:

curl -k -u admin:password! -o 120979_curl.csv --data-urlencode search="search source=log.tar.*" -d "output_mode=csv" exampleurl:8089/servicesNS/admin/search/search/jobs/export

I suspect it is not working because of the search= source=log.tar.* being incorrect... What should I be adding in this field so I download the correct job?

The search I ran was the following
search * | regex _raw=".*/[a-f0-9]{32}/[a-z]{1,15}-[a-z]{1,15}.php" and this is how it appears in teh job manager.

Lastly if I wanted to view the search jobs results on the cli - where would I find the results and couldn't I just scp this file off instead of using curl?

Lucas_K · ‎09-25-2013

Saw this in another post that shows the correct format of the dataurl encode ( http://answers.splunk.com/answers/64345/how-to-export-the-last-25-hours-of-data-using-curl )

So the command should be something like :

curl -k -u admin:password -d "output_mode=csv" -o /home/sample1.csv
https://splunk.server:8089/servicesNS/admin/search/search/jobs/export
--data-urlencode 'search=search earliest=-1d@d latest=@d index=blah
source=log.tar.*'

benjaminw · ‎06-17-2016

I ran a search using this syntax, and received the error "curl: option --data-urlencode: is unknown"

Any ideas?

export search results using curl

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor