Minimum Capbilities required for REST search/jobs/... - Splunk Community

Splunk Enterprise

I have a custom role which has limited capabilities, including

rest_apps_view
rest_properties_get
search

The role needs to run the following search via the REST API and write the ouptut to a text file on the originating server.

| inputlookup xxx.csv | eval HASH=sha256(<FIELD B>+<FIELD C>) | table <FIELD A>, HASH

I have created a user with the relevant role, and created a token for use in the curl request.

If I run the above search in the UI it works fine, when I run the curl I get a FATAL response message - empty search.

The curl I am using is:

curl -k -X GET -H "Authorization: Bearer <token>"  https://mysearchead.com:8089/servicesNS/<user>/<app>/search/jobs/export -d search='<my search>' -d output_mode=csv > output.csv

So, my question is, which Splunk capabilities are required to be enabled for my custom role to successfully make a REST API call to the search/jobs/export endpoint?

Forgot to state: Splunk Enterprise 8.1.0.1

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers, So you searched, “what is the name of the usb key inserted by bob smith?” Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register Is your ...