Splunk Search

REST API returns empty results when I execute the command in Linux

rajiv_kumar
Path Finder

I am trying to fetch results using REST API from Saved Search and getting empty response. My command is like this...
curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d"search=search sourcetype="estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl"

Got response sid in below XML format:1303166708.128

I used this sid in the below command
curl -u admin:changeme -k https://tus1crsappdex215:8089/services/search/jobs/1303166708.128/results/

Please advise me if I am doing something wrong.

Tags (3)
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

You have at least one problem here with your POST. You have to escape the = with %3d in the sourcetype=...

Could you try:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl'

You can also try the "export" mode:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl'

This gives you the results directly. If you want CSV out, you can run this as:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl&output_mode=csv'

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

For export, output_mode=csv is a new addition to 4.2. You will have to upgrade to get this. You can replace export with "oneshot" to get csv out in 4.1.x.

rajiv_kumar
Path Finder

It worked. But one issue is still there. I am trying to export csv format file and it seems always returning xml format.
Here is my command

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"ebe_abs" PSN earliest%3d-4d&output_mode=csv' >> exporteddata.csv

Can you please advise on this.

Thanks,
Rajiv

0 Karma

rajiv_kumar
Path Finder

Great. It worked.
Thanks Stephen!

Stephen_Sorkin
Splunk Employee
Splunk Employee

You have at least one problem here with your POST. You have to escape the = with %3d in the sourcetype=...

Could you try:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl'

You can also try the "export" mode:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl'

This gives you the results directly. If you want CSV out, you can run this as:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl&output_mode=csv'

Hamidreza74
Explorer


HI
I have this issue too, I check by search with your point but it not work
https://community.splunk.com/t5/forums/editpage/board-id/splunk-search/message-id/155815
can you help me?

Tags (1)
0 Karma

rajiv_kumar
Path Finder

It worked. Thanks Stephen!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...