I can able to search from splunk web using the below string:
cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName
but when i use the same search string while REST API call's its not working.
curl -ku username:paswd https://splunkapiurl:port/servicesNS/admin/search/search/jobs/export -d search=“search cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName” -d output_mode=csv
Please help me out resolving the issue.
The problem is because of double-quotes inside the search string. Please try below;
curl -ku username:paswd https://splunkapiurl:port/services/search/jobs/export --data-urlencode search='search cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName' -d output_mode=csv
Thank you for quick turn around.
Well, i tried that as well and this time different issue
i'm wondering how the same string works in splunk web and doesn't when used in CURL.
if i use double quotes as is and remove search keyword from the search string i'm getting below error:
Thanks,
Manohar
Did you try exactly using my endpoint url and parameters? It seems you didn't add --data-urlencode parameter. When I tested it works fine.
Hi, i did exactly as you suggested. Here is the screenshot:
i even removed -d after /jobs/export but looks like same error.
Could you please examine the query and tell me which part of it i did wrong.
This would really help me a lot. Thanks in advance.
I was testing on Linux 😀 , curl is working different on Windows. Below (changed single quotes with double quotes )should work on Windows;
curl -ku username:paswd https://splunkapiurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/rptttt.xls" AND (cs_uri_query="reportName=ddd+Certification")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv
I Did and this time different issue, My sincere apologies for taking your time, but have no other option than splunk community. Kindly help me out.
If i remove output_mode=csv, here is what i got. Sorry im really new to Splunk.
i installed curl using pip install curl and the version is
@manoharkalva , no problem 😉
I found out that the problem is because of the spaces in "output_mode = csv".
Please try with output_mode=csv
because of spaces "output_mode" raises an error, aslo "=" and "csv" words cannot processed.
I hope you will get the results now 😀
Hi,
I tried removing spaces as well but i din't get any results. when i used the same query in splunk i'm getting data.
Also,
when i removed output_mode, i am getting different error.
Here is the query i used:
curl -k -u UserName:Passwd https://splunkurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/wkReport.xls" AND (cs_uri_query="reportName=Pay+Certification" OR cs_uri_query="reportName=CS+Monthly+Payroll+Cost*")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv
and also tried replacing double quotes with single quotes for the string.
query: curl -k -u UserName:Passwd https://splunkurl:port/services/search/jobs/export --data-urlencode search="search cs_uri_stem="*/reporting/wkReport.xls" AND (cs_uri_query="reportName=Pay+Certification" OR cs_uri_query="reportName=CS+Monthly+Payroll+Cost*")|stats count by AssociateOID, OrgOID, date, o, reportName" -d output_mode=csv