Re: Why am I receiving "Error in 'savedsearch' com...

BP9906 · ‎01-11-2017

http://docs.splunk.com/Documentation/Splunk/6.4.5/Search/ExportdatausingRESTAPI

I read the manual, nothing is working.

curl -s -S -ku admin:password https://IP:8089/servicesNS/-/-/search/jobs/export -d search="| savedsearch "Test Search""
This is not working.

I've URL encoded: | savedsearch "Test Search"
This way the double quotes dont get confused with curl command line.
%7c%20%73%61%76%65%64%73%65%61%72%63%68%20%22%54%65%73%74%20%53%65%61%72%63%68%22%20
So my curl command is:
curl -s -S -ku admin:password https://IP:8089/servicesNS/-/-/search/jobs/export -d search="%7c%20%73%61%76%65%64%73%65%61%72%63%68%20%22%54%65%73%74%20%53%65%61%72%63%68%22%20"

Why doesnt this work?

The saved search was created with an admin ldap user, it shows under a custom app (not search app).
The admin user has full admin access, yet I receive:

Error in 'savedsearch' command: Unable to find saved search named 'Test Search'

Thanks for your help!

jkat54 · ‎01-11-2017

Does "Test Search" have a global context?

If not, you'll need to specify the app context when accessing it.

https://localhost:8089/servicesNS/admin/yourApp/search/jobs/export

Why am I receiving "Error in 'savedsearch' command" when exporting data using REST API?

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!