Splunk Search

How to export the last 25 hours of data using curl?

zackh123
Path Finder

I have a saved search in splunk which has a default start time of 7 days. I have a curl command that works perfectly and exports the last 7 days (default) of data. But is there a way, without changing the default start time in splunk, to export the last 25 hours using curl?

My command is...

curl -k -u user:password -d "search=savedsearch %22Search%20Name%22" -d "output_mode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export

The index for this search is index=cep_prd "DEBUG" | table _raw and I have tried this curl command with no luck...

curl -k -vvv -u user:password -d "output_mode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export --data-urlencode 'search=search index=cep_prd "DEBUG" | table _raw&earliest=-25h@h&latest=now'

Can anyone help?

Tags (3)
0 Karma
1 Solution

zackh123
Path Finder

Found the answer in Splunk's IRC server. Thanks guys!

curl -k -u user:password -d "output_mode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export --data-urlencode 'search=search earliest=-1d@d latest=@d index=cep_prd "DEBUG" | table _raw'

The above code will extract the data from the last day. You could easily edit it to what time frame you want.

View solution in original post

zackh123
Path Finder

Found the answer in Splunk's IRC server. Thanks guys!

curl -k -u user:password -d "output_mode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export --data-urlencode 'search=search earliest=-1d@d latest=@d index=cep_prd "DEBUG" | table _raw'

The above code will extract the data from the last day. You could easily edit it to what time frame you want.

karan1337
Path Finder

@zackh123 Thanks for posting this here. It was really helpful.

0 Karma

debraj
New Member

hi, for me when I use search job export endpoint I don't get the data output, instead I get some junk values like below
msg type

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...