Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract data via rest api
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
preben12
Communicator
10-30-2013
01:16 PM
I have some sample data generated from
curl -k -u admin:password https://localhost:8089/services/search/jobs/export -d search="search index=tweets | multikv from_user start_time" -d earliest_time="-4h" -d latest_time="now" -d output_mode="xml"
How can i extract eg. the from_user and start_time from the _raw field so it gets a ordinary search result field in the search result ?
->
<result offset='1487'>
<field k='_bkt'>
<value><text>tweets~39~6909193E-A0BE-4EC0-8F2F-9E47CAE7DEF2</text></value>
</field>
<field k='_cd'>
<value><text>39:278787</text></value>
</field>
<field k='_indextime'>
<value><text>1383149603</text></value>
</field>
<field k='_raw'><v xml:space='preserve' trunc='0'>2013-10-30 17:13:23:443+0100 name="twitter-message" from_user="someuser" in_reply_to="null" start_time="Wed Oct 30 17:13:09 CET 2013" event_id="395584165271203840" text="I voted for Girls' Generation's "I Got a Boy" to win Video of the Year at the YouTube Music Awards. http://t.co/igD2gPOrYI #YTMAhgh" retweet_count="0"</v></field>
<field k='_serial'>
<value><text>1980</text></value>
</field>
<field k='_si'>
<value><text>mac.local</text></value>
<value><text>tweets</text></value>
</field>
<field k='_sourcetype'>
<value><text>twitter-feed</text></value>
</field>
<field k='_subsecond'>
<value><text>.443</text></value>
</field>
<field k='_time'>
<value><text>2013-10-30 17:13:23.443 CET</text></value>
</field>
<field k='host'>
<value><text>127.0.0.1</text></value>
</field>
<field k='index'>
<value h='1'><text>tweets</text></value>
</field>
<field k='linecount'>
<value><text>1</text></value>
</field>
<field k='source'>
<value><text>mysource</text></value>
</field>
<field k='sourcetype'>
<value><text>twitter-feed</text></value>
</field>
<field k='splunk_server'>
<value><text>mac.local</text></value>
</field>
</result>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
preben12
Communicator
10-31-2013
09:55 AM
doh - I'll answer this my self. Quite simple just do:
curl -k -u admin:password https://localhost:8089/services/search/jobs/export -d search="search index=tweets | fields *" -d earliest_time="-4h" -d latest_time="now" -d output_mode="xml"
or a list of fields if you wanna have specific fields kvp's
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
preben12
Communicator
10-31-2013
09:55 AM
doh - I'll answer this my self. Quite simple just do:
curl -k -u admin:password https://localhost:8089/services/search/jobs/export -d search="search index=tweets | fields *" -d earliest_time="-4h" -d latest_time="now" -d output_mode="xml"
or a list of fields if you wanna have specific fields kvp's
Get Updates on the Splunk Community!
Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco
The Defining Technology Movement of Our Lifetime
The advent of agentic AI is arguably the defining technology ...
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...
Your summer travels continue with new course releases
Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
