Reporting

export search results using curl

jonathanfalconi
Explorer

Hi,
I was advised that curl was a workaround used for exporting search results to csv.
Problem is I do not know how to export specific jobs in the jobs manager and I need assistance with the correct syntax:

curl -k -u admin:password! -o 120979_curl.csv --data-urlencode search="search source=log.tar.*" -d "output_mode=csv" exampleurl:8089/servicesNS/admin/search/search/jobs/export

I suspect it is not working because of the search= source=log.tar.* being incorrect... What should I be adding in this field so I download the correct job?

The search I ran was the following
search * | regex _raw=".*/[a-f0-9]{32}/[a-z]{1,15}-[a-z]{1,15}.php" and this is how it appears in teh job manager.

Lastly if I wanted to view the search jobs results on the cli - where would I find the results and couldn't I just scp this file off instead of using curl?

Tags (2)
0 Karma

Lucas_K
Motivator

Saw this in another post that shows the correct format of the dataurl encode ( http://answers.splunk.com/answers/64345/how-to-export-the-last-25-hours-of-data-using-curl )

So the command should be something like :

curl -k -u admin:password -d "output_mode=csv" -o /home/sample1.csv
https://splunk.server:8089/servicesNS/admin/search/search/jobs/export
--data-urlencode 'search=search earliest=-1d@d latest=@d index=blah
source=log.tar.*'

0 Karma

benjaminw
New Member

I ran a search using this syntax, and received the error "curl: option --data-urlencode: is unknown"

Any ideas?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...