Is there any way how I can get JSON raw data from Splunk for a given query?
Consider the following timechart query:
index=* earliest=<from_time> latest=<to_time> | timechart span=1s count
Key things in the query are: 1. Start/End Time, 2. Time Span (say sec) and 3. Value (say count)
The expected JSON response would be:
{"fields":["_time","count","_span"], "rows":[["2014-12-25T00:00:00.000-06:00","1460981","1"], ..., ["2014-12-25T01:00:00.000-06:00","536889","1"]]}
This is the XHR (ajax calls) for the output_mode=json_rows calls. This requires session and authentication setups.
I’m looking for a RESTful implementation of the same with authentication.
If you're looking for a javascript call... here's an example using axios (an npm package i use in my react apps - fetch will also work)
const base_url = ''https://yoursplunkserver.com/servicesNS/admin/search/search/jobs/export";
const auth = {username: 'username', password: 'password'};
const search = 'savedsearch yourSavedSearchName';
const params={'output_mode': 'json_cols', search: search}; //no es6 used for clarity
axios.get(base_url, {auth: auth, params: params})
.then((response) => {
//do something with your data
})
.catch((err) => {
//sth went wrong
}
Hope this helps someone
Maybe check out the REST API Basic Tutorial http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT
Most specifically the output_mode tag
curl -k -u admin:changeme --data-urlencode search="search index=main earliest=-1m latest=now | timechart count by sourcetype" -d "output_mode=json" https://localhost:8089/servicesNS/admin/search/search/jobs/export