Thank you for quick turn around.

Well, i tried that as well and this time different issue

i'm wondering how the same string works in splunk web and doesn't when used in CURL.

if i use double quotes as is and remove search keyword from the search string i'm getting below error:

Thanks,
Manohar

 

Did you try exactly using my endpoint url and parameters? It seems you didn't add --data-urlencode parameter. When I tested it works fine. 

Hi, i did exactly as you suggested. Here is the screenshot:

 

i even removed -d after /jobs/export but looks like same error.

Could you please examine the query and tell me which part of it i did wrong.

This would really help me a lot. Thanks in advance.

I was testing on Linux 😀 , curl is working different on Windows. Below (changed single quotes with double quotes )should work on Windows;

curl -ku username:paswd https://splunkapiurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv

I Did and this time different issue, My sincere apologies for taking your time, but have no other option than splunk community. Kindly help me out.

 

If i remove output_mode=csv, here is what i got. Sorry im really new to Splunk.

i installed curl using pip install curl and the version is 

 

 

@manoharkalva , no problem 😉 

I found out that the problem is because of the spaces in "output_mode = csv".

Please try with output_mode=csv

because of spaces "output_mode" raises an error, aslo "=" and "csv" words cannot processed. 

I hope you will get the results now 😀

Hi, 

I tried removing spaces as well but i din't get any results. when i used the same query in splunk i'm getting data.

Also,

when i removed output_mode, i am getting different error.

Here is the query i used:

curl -k -u UserName:Passwd https://splunkurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/wkReport.xls" AND (cs_uri_query="reportName=Pay+Certification" OR cs_uri_query="reportName=CS+Monthly+Payroll+Cost*")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv

and also tried replacing double quotes with single quotes for the string.

query: curl -k -u UserName:Passwd https://splunkurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/wkReport.xls" AND (cs_uri_query="reportName=Pay+Certification" OR cs_uri_query="reportName=CS+Monthly+Payroll+Cost*")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv

i tried escape character and this worked perfectly fine: curl -k -u user:pass https://server:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem=\"*/reporting/wkReport.xls\" AND (cs_uri_query=\"reportName=Pay+Certification\" OR cs_uri_query=\"reportName=CS+Monthly+Payroll+Cost*\")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv