Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help with running Rest API to pull results of a Splunk query to a third party server

Navanitha
Path Finder
‎07-14-2025 05:35 AM

I am running a rest APi basically curl to query Splunk for results and export them to the server.  below is my api query.  My Splunk query is very big and the results are also kind of huge.  Query is running fine but I don't see any results.

 

#!/bin/bash

search_query=$(cat <<'EOF'
search index=my long splunk query
EOF
)

echo "Running Splunk search..."
curl --http1.1 -k -u admin:password \
"https://<splunk uri>:8089/services/search/jobs/export" \
--data-urlencode "search=$search_query" \
-d output_mode=csv \
-d earliest_time='-24d@d' \
-d latest_time='@d' \
-o output-file.csv

echo "Done. Results in output-file.csv"

 

This pi returns below results - 

curl: (18) transfer closed with outstanding read data remaining with empty ouput-file.csv.  Looks like it is not able to run such huge query.  I tried the curl command with some simple search query and it is working.  How can I make this work ?

Labels (1)
Labels
Tags (3)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-14-2025 06:08 AM
Have you try to dispatch your query first then look when it’s ready and after that export results instead of do it in one operation?
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-14-2025 05:53 AM

Hi @Navanitha 

There are a number of things here which could be affecting this. Did you notice the time it took before crashing out? e.g. 1 minute, 5 minutes? There is a --max-time param you can pass to curl so Im wondering if this could help. 

Are you able to find the job in Splunk to see what its status is, how long it took to execute and how many results it returned? The easiest way to do this is probably via the Job manager (Top Right of Splunk screen under "Activity").

Is there a proxy/firewall between your machine and Splunk? Sometimes firewalls have a tendency to kill downloads or long-running HTTP calls.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...