Minimum Capbilities required for REST search/jobs/... - Splunk Community

Splunk Enterprise

I have a custom role which has limited capabilities, including

rest_apps_view
rest_properties_get
search

The role needs to run the following search via the REST API and write the ouptut to a text file on the originating server.

| inputlookup xxx.csv | eval HASH=sha256(<FIELD B>+<FIELD C>) | table <FIELD A>, HASH

I have created a user with the relevant role, and created a token for use in the curl request.

If I run the above search in the UI it works fine, when I run the curl I get a FATAL response message - empty search.

The curl I am using is:

curl -k -X GET -H "Authorization: Bearer <token>"  https://mysearchead.com:8089/servicesNS/<user>/<app>/search/jobs/export -d search='<my search>' -d output_mode=csv > output.csv

So, my question is, which Splunk capabilities are required to be enabled for my custom role to successfully make a REST API call to the search/jobs/export endpoint?

Forgot to state: Splunk Enterprise 8.1.0.1

Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars Sometimes, you just need to see the code. For those looking for a ...