Re: How to pass the earliest ,latest time and span...

bubby248 · ‎03-06-2013

I had the curl statement as below

curl -u username:password -k https://hostname:8089/services/search/jobs -d"search=| savedsearch mysavedsearch" -earliest_time="-24h@h" -latest_time="now" -d span="1hr"

But the response is as below
<?xml version="1.0" encoding="UTF-8"?>

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'mysavedsearch': Error while replacing variable name='earliest'. Could not find variable in the argument map.

Can you please help me out with the curl command
With this am expecting an SID, once I get the SID I will try to retreive the results.

gkanapathy · ‎03-06-2013

First of all, it looks like you have an placeholder for a variable called earliest in your saved search. Probably you don't want that. But if you do want that, then you need to pass it as arguments to the | savedsearch command, within the search string, e.g., | savedsearch earliest=-24h@h.

But if you really don't want that, take it out of the saved search and just pass it as normal HTTP parameter in curl:

... -d earliest_time=-24h@h ...

bubby248 · ‎03-13-2013

Thanks mate

How to pass the earliest ,latest time and span as arguments to the curl command to query a saved search

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?