Splunk Search
Highlighted

How to export the last 25 hours of data using curl?

Path Finder

I have a saved search in splunk which has a default start time of 7 days. I have a curl command that works perfectly and exports the last 7 days (default) of data. But is there a way, without changing the default start time in splunk, to export the last 25 hours using curl?

My command is...

curl -k -u user:password -d "search=savedsearch %22Search%20Name%22" -d "output_mode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export

The index for this search is index=cep_prd "DEBUG" | table _raw and I have tried this curl command with no luck...

curl -k -vvv -u user:password -d "outputmode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export --data-urlencode 'search=search index=cepprd "DEBUG" | table _raw&earliest=-25h@h&latest=now'

Can anyone help?

Tags (3)
0 Karma
Highlighted

Re: How to export the last 25 hours of data using curl?

Path Finder

Found the answer in Splunk's IRC server. Thanks guys!

curl -k -u user:password -d "output_mode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export --data-urlencode 'search=search earliest=-1d@d latest=@d index=cep_prd "DEBUG" | table _raw'

The above code will extract the data from the last day. You could easily edit it to what time frame you want.

View solution in original post

Highlighted

Re: How to export the last 25 hours of data using curl?

Path Finder

@zackh123 Thanks for posting this here. It was really helpful.

0 Karma
Highlighted

Re: How to export the last 25 hours of data using curl?

New Member

hi, for me when I use search job export endpoint I don't get the data output, instead I get some junk values like below
msg type

0 Karma