Hi All,
i am trying to use Curl to return a search as my result will be >6million to a csv file.
using the command:
curl -k -u un:pw https://our_splunk.com:8089/services/search/jobs/export --data-urlencode search='search index=foo sourcetype=bar report | table subid cardid panelid' -d output_mode=csv -d earliest=-6h max_time=0 -o filename.csv
this returns the below to filename.csv
:
subid,cardid,panelid
,,
,,
,,
,,
,,
If i take the table request out and use the fields:
curl -k -u un:pw https://our_splunk.com:8089/services/search/jobs/export --data-urlencode search='search index=foo sourcetype=bar report | fields subid cardid panelid' -d output_mode=csv -d earliest=-6h max_time=0 -o filename.csv
This returns the whole log line below to filename.csv
:
"2019-02-27 11:49:37.772 GMT","2019/02/27 11:49:37.772 [SenderFile] [c-11]: INFO: Report saved to /apps/box_20190227114937772_77777740_5_892222_1223.xml"
In this instance the fields i am trying to put into a table are:
subid 77777740
cardid 892222
panelid 5
When i include table to extract the fields, I don't get anything returned:
curl -k -u un:pw https://our_splunk.com:8089/services/search/jobs/export --data-urlencode search='search index=foo sourcetype=bar report | fields subid cardid panelid |table subid cardid panelid' -d output_mode=csv -d earliest=-6h max_time=0 -o filename.csv
any advice would be grateful.
Thanks.
Hi @ssaenger,
Have you verified that your field extraction is working properly and that their permissions are not set to private ?
Could you please share that config ?
Cheers,
David
Hi David,
It was a permissions state.
thank you.
SS
You're welcome ! Feel free to accept the answer 😄
OK, so post the specifics as a new answer and click Accept
on that answer to close the question.
What happens when you do this?
curl -k -u un:pw https://our_splunk.com:8089/services/search/jobs/export --data-urlencode search='search index=foo sourcetype=bar report | table subid cardid panelid' -d output_mode=csv -d earliest=-6h max_time=0 -o filename.csv