Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How retrieve search results via Splunk API?

qcjacobo2577
Path Finder
‎05-19-2023 12:50 PM

I recently enabled Splunk tokens (using SAML authentication) and am able to successfully execute basic API calls (such as the one below).

 

curl -H "Authorization: Bearer <token>" -X GET https://<host>.splunkcloud.com:8089/services/authorization/roles

 

I have a Splunk search that works great from the Splunk Cloud UI, but I would like to be able to retrieve the same data in either JSON or CSV format.  I have attempted to follow the Splunk documentation on this, but being brand new may simply be missing something. 

  • What is the best way to achive my goal in this case?
  • Is using Splunk tokens the preferred/best approach?
Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎05-19-2023 09:59 PM

To perform a search, you first post it to the search endpoint as a job.

curl -H "Authorization: Bearer <token>" https://<host>.splunkcloud.com:8089/services/search/job -d search="my great search"

This will submit "my great search" and return an XML document.  You then use the value of the document's <sid /> segment get the result, like this

curl -H "Authorization: Bearer <token>" --get https://<host>.splunkcloud.com:8089/services/search/job/<sid>/result" -d output_mode=json

Of course, you can use output_mode=json in the first command and use the sid node of the JSON document.

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎05-19-2023 09:59 PM

To perform a search, you first post it to the search endpoint as a job.

curl -H "Authorization: Bearer <token>" https://<host>.splunkcloud.com:8089/services/search/job -d search="my great search"

This will submit "my great search" and return an XML document.  You then use the value of the document's <sid /> segment get the result, like this

curl -H "Authorization: Bearer <token>" --get https://<host>.splunkcloud.com:8089/services/search/job/<sid>/result" -d output_mode=json

Of course, you can use output_mode=json in the first command and use the sid node of the JSON document.

Reply
Get Updates on the Splunk Community!

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Index This | What is the next number in the series? 7,645 5,764 4,576…

February 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...