Solved: How to use the REST API to just run a search and s...

a212830 · ‎04-28-2015

Hi,

I have a question about using the REST API to run a search. The doc seems to indicate that you need to follow 3 steps - create a search job, get the search status, and then get the search results. Is there any way to just run the search and stream the results back? Seems like a lot of steps...

neelamssantosh · ‎04-28-2015

curl -ku username:password https://SearchHead_host:8089/servicesNS/admin/search/search/jobs/export -d search=“search index%3D_internal | head 3” -d output_mode=csv/xml/json

View solution in original post

andrewlamonica · ‎09-17-2018

I wasn't able to get the above example to work. But, this one worked fine for me...

curl -k -u 'username:password' https://splunk.host.name.here:8089/services/search/jobs/export  -d search="search error | head 3" -d output_mode=xml

The main differences are...
1. I needed to quote my username and password (as they have special chars in them)
2. I needed to replace "servicesNS" with just "services"
3. Having "search" in the URL twice didn't work for me, I removed on of them.
4. Only one output_mode can be specified at a time (I put "xml" in my example, but the other two work, just not all at once)
5. I needed to remove the "smart quotes" and use normal quotes. That might just be my console being picky, though.

kutzi · ‎07-28-2020

I needed to add -d exec_mode=oneshot otherwise it wouldn't stream the results back.

E.g.

curl -k -u 'username:password' https://splunk.host.name.here:8089/services/search/jobs/export  -d search="search index=_internal | head 3" -d output_mode=csv -d exec_mode=oneshot

spunk311z · ‎05-27-2021

@kutzi thank you SO MUCH for posting this!!

I have spent several hours trying to figure out how to do a basic synchronous search via curl/api (have tried 100s of curl command variations).

I have scripts working with the Async method (as that is clearly documented in splunk docs), however im not sure why the direct, synchronous method seems to have little/no documentation. (i realize the pros/cons of each and that synchronous search should rarely be used).

Again thanks for taking the time to make this post, it was super helpful.

Here is what is working for me:

curl -u admin:mypw -k https://splunk.me:8089/services/search/jobs/export -d search="search index=routers Web Down | head 3" -d output_mode=csv -d exec_mode=oneshot

### also this works:
curl -u admin:mypw -k https://splunk.me:8089/services/search/jobs/export -d output_mode=json -d search="search index=routers |head 10"

neelamssantosh · ‎04-28-2015

curl -ku username:password https://SearchHead_host:8089/servicesNS/admin/search/search/jobs/export -d search=“search index%3D_internal | head 3” -d output_mode=csv/xml/json

a212830 · ‎04-28-2015

Thanks! Works great.

neeldesai1992 · ‎10-12-2017

the restful url call /serviceNS/admin/search/search/jobs/export is right?

neeldesai1992 · ‎10-12-2017

Does this require to have saved search query? Or you are making it on demand?

nopslide · ‎05-16-2022

It's on demand

How to use the REST API to just run a search and stream the results back?

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!