REST API output_mode='json' causes client search e...

Splunk Search

I've been working with the /services/search/jobs/export API recently and I noticed that setting the output mode to 'json' can cause responses to be suppressed. Here's an example:

curl -u $USER:$PASSWORD -k https://<splunk>/services/search/jobs/export -d search='search=savedsearch "my_search"'

<?xml version='1.0' encoding='UTF-8'?>
<response><messages><msg type="FATAL">Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the left hand side.</msg></messages></response>

This same request in a different output mode has no response content.

curl -u $USER:$PASSWORD -k https://splunk.drwholdings.com:8089/services/search/jobs/export -d search='search=savedsearch "my_search"' -d "output_mode=json"

Is there some other flag I need to set to have these errors come through in JSON mode? Requests that don't result in error responses return fine. Both requests come back with status code 200.

Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Are you a member of the Splunk Community?