Splunk Enterprise

Unusual behaviour identified in SPL

Path Finder

Hi Community,

I have an SPL query that runs from a savedsearch in Splunk Enterprise. When I run the query I am able to get the output but when I try to run the same query from the Linux server using a curl command I do not get any response.

I have verified if the curl is able to connect to the API and obtain a response by getting the status code in the output.

Example of the curl command: /usr/bin/curl -sSku username:password https://splunk:8089/servicesNS/admin/search/search/jobs/export -d search="| savedSearch Trading_test host_token=MTE_MTEDEV_Greening time_token.earliest=-30d time_token.latest=now " -d output_mode=csv -d exec_mode=oneshot > output.csv

I was trying to break the problem to check where it might have gone wrong. I found that the savedsearch I was using had a table command to limit the number of columns generated.

So I created a new savedsearch to without any tables and I was able to get the output as raw data.

This is such unusual behaviour that I am not able to figure out what would have gone wrong.

Could anyone let me know why is this causing a problem? Are there some other alternatives that I can use to fix this problem?

Thanks in advance.







Labels (2)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...