here is my query:
myquery='search index=anyindex sourcetype=anysourcetype earliest=-7d |fields * | fillnull'

mystr="curl -k -u username:password https://splkurl//services/search/jobs/export --data-urlencode search=${myquery} -d output_mode=csv -o res.csv"

If successfully got the data, then I can cat res.csv; otherwise the file will be not generated. ,my scripts likes:

Please use the following script.

!/bin/bash

myquery='search index=anyindex sourcetype=anysourcetype earliest=-7d |fields * | fillnull'

mystr="curl -k -u username:password https://splkurl//services/search/jobs/export --data-urlencode search=${myquery} -d output_mode=csv -o res.csv"

Managed to get results using the following script:

#!/bin/bash
myquery='search index=_internal component=* earliest=-7d | stats sum(cpu_seconds) by component | fields * | fillnull'

curl -k -u user:pass  https://localhost:8089/services/search/jobs/export --data-urlencode "search=${myquery}" -d output_mode=csv -o res.csv

my query likes "search='search index=xxxxx.....'". Do you have any document that mentioned SPLUNK API NOT supporting special characters?

After I removed the fillnull then the query works with API. Do you know the API support fillnull or not?

There is no reason for the API not to support the fillnull command.
I managed to get it working using the following as an example:

search=search+index%3D_internal+component%3D%2A+%7C+stats+sum%28cpu_seconds%29+by+component+%7C+fillnull+value%3DNULL

Please share you full query for further debugging, you can mask anything sensitive if needed.

it sounds the API is not supporting "fillnull value=NULL". I debug line be line and stuck on this line. Any solution?

Hi jennifer, it would be helpful if you could share the sample of the code you use to post the search.

If you are building the POST data yourself, there should not be quotes inside your search parameter, for example:

search=search+index%3D_internal

(The equal is url encoded)