I have a question about using the REST API to run a search. The doc seems to indicate that you need to follow 3 steps - create a search job, get the search status, and then get the search results. Is there any way to just run the search and stream the results back? Seems like a lot of steps...
Does this require to have saved search query? Or you are making it on demand?
I wasn't able to get the above example to work. But, this one worked fine for me...
curl -k -u 'username:password' https://splunk.host.name.here:8089/services/search/jobs/export -d search="search error | head 3" -d output_mode=xml
The main differences are...
1. I needed to quote my username and password (as they have special chars in them)
2. I needed to replace "servicesNS" with just "services"
3. Having "search" in the URL twice didn't work for me, I removed on of them.
4. Only one output_mode can be specified at a time (I put "xml" in my example, but the other two work, just not all at once)
5. I needed to remove the "smart quotes" and use normal quotes. That might just be my console being picky, though.
I needed to add -d exec_mode=oneshot otherwise it wouldn't stream the results back.
curl -k -u 'username:password' https://splunk.host.name.here:8089/services/search/jobs/export -d search="search index=_internal | head 3" -d output_mode=csv -d exec_mode=oneshot