Splunk Enterprise

REST API - Need to search from exact date and time

VijaySrrie
Builder

Hi,   

I am using below CURL to export data in JSON format, in this command, may I know how to add the exact date and time to search the results? For instance if I need to search the results from 8th of Wednesday 2020 10am (May i know how to give this time in command?)   

curl -k -u admin:password -d search="savedsearch %22testsavedsearch%22" -d earliest_time=-24h@h -d output_mode="json" https://splunk-api-url:8089/servicesNS/nobody/appname/search/jobs/export > json.txt

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

You specify the earliest and latest time modifiers in the search, e.g. 

earliest="07/08/2020:10:00:00" latest="07/08/2020:10:00:00"

where the format is US format

MM/DD/YYYY:HH:MM:SS 

0 Karma

VijaySrrie
Builder

Its not working  

curl -k -u admin:password -d search="savedsearch %22testsavedsearch%22" -d earliest="07/08/2020:10:00:00" latest="07/08/2020:10:30:00" -d output_mode="json" https://splunk-api-url:8089/servicesNS/nobody/appname/search/jobs/export > time2.txt  

I am getting error as   

Could not resolve host: latest=07; Name or service not known  

If I remove latest="07/08/2020:10:30:00" its working (How to include the latest time)  

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You will have to url encode the earliest and latest, the quotes and slashes like you have done with the %22 for the quotes around the saved search name

%22testsavedsearch%22

 

0 Karma

VijaySrrie
Builder

I am using the below command. Is this correct? It not giving me the exact result (between 13:00 to 13:05) its fetching all the results, I could see the time values 12:00 also 15:00  

curl -k -u admin:password -d search="savedsearch %22testsavedsearch%22" -d %22earliest%3d07%2f10%2f2020%3a13%3a00%3a00%20latest%3d07%2f10%2f2020%3a13%3a05%3a00%22 -d output_mode="json" https://splunk-api-url:8089/servicesNS/nobody/appname/search/jobs/export > time4.txt  

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Sorry my bad

In the saved search command you should pass the earliest and latest parameters, e.g.

-d search=" savedsearch testsavedsearch earliest=07/08/2020:10:00:00 latest=07/08/2020:10:30:00"

and in your saved search definition itself you have as part of the search

earliest="$earliest$" latest="$latest$"

which is the replaceable parameter referred to in the docs

https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Savedsearch

0 Karma

VijaySrrie
Builder

The Time which we give here is that in UTC?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Not totally sure - should be easy to test it and see

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...