Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any way via REST to get JSON raw data from Splunk for a given query?

jibiuthaman
Explorer
‎12-29-2014 09:46 AM

Is there any way how I can get JSON raw data from Splunk for a given query?

Consider the following timechart query:

index=* earliest=<from_time> latest=<to_time> | timechart  span=1s count

Key things in the query are: 1. Start/End Time, 2. Time Span (say sec) and 3. Value (say count)

The expected JSON response would be:

{"fields":["_time","count","_span"], "rows":[["2014-12-25T00:00:00.000-06:00","1460981","1"], ..., ["2014-12-25T01:00:00.000-06:00","536889","1"]]}

This is the XHR (ajax calls) for the output_mode=json_rows calls. This requires session and authentication setups.

I’m looking for a RESTful implementation of the same with authentication.

Reply

AlisonHaire
New Member
‎05-17-2018 08:11 PM

If you're looking for a javascript call... here's an example using axios (an npm package i use in my react apps - fetch will also work)

const base_url = ''https://yoursplunkserver.com/servicesNS/admin/search/search/jobs/export";
const auth = {username: 'username', password: 'password'};
const search = 'savedsearch yourSavedSearchName';
const params={'output_mode': 'json_cols', search: search}; //no es6 used for clarity

axios.get(base_url, {auth: auth, params: params})
.then((response) => {
//do something with your data
})
.catch((err) => {
//sth went wrong
}

Hope this helps someone

0 Karma
Reply

dolivasoh
Contributor
‎12-29-2014 11:48 AM

Maybe check out the REST API Basic Tutorial http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT

0 Karma
Reply

dolivasoh
Contributor
‎12-29-2014 11:55 AM

Most specifically the output_mode tag

curl -k -u admin:changeme --data-urlencode search="search index=main earliest=-1m latest=now | timechart count by sourcetype" -d "output_mode=json" https://localhost:8089/servicesNS/admin/search/search/jobs/export

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...