I have a saved search in splunk which has a default start time of 7 days. I have a curl command that works perfectly and exports the last 7 days (default) of data. But is there a way, without changing the default start time in splunk, to export the last 25 hours using curl?
My command is...
curl -k -u user:password -d "search=savedsearch %22Search%20Name%22" -d "output_mode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export
The index for this search is index=cep_prd "DEBUG" | table _raw
and I have tried this curl command with no luck...
curl -k -vvv -u user:password -d "output_mode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export --data-urlencode 'search=search index=cep_prd "DEBUG" | table _raw&earliest=-25h@h&latest=now'
Can anyone help?
Found the answer in Splunk's IRC server. Thanks guys!
curl -k -u user:password -d "output_mode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export --data-urlencode 'search=search earliest=-1d@d latest=@d index=cep_prd "DEBUG" | table _raw'
The above code will extract the data from the last day. You could easily edit it to what time frame you want.
Found the answer in Splunk's IRC server. Thanks guys!
curl -k -u user:password -d "output_mode=csv" -o /home/sample1.csv https://splunk.server:8089/servicesNS/user/search/search/jobs/export --data-urlencode 'search=search earliest=-1d@d latest=@d index=cep_prd "DEBUG" | table _raw'
The above code will extract the data from the last day. You could easily edit it to what time frame you want.
@zackh123 Thanks for posting this here. It was really helpful.
hi, for me when I use search job export endpoint I don't get the data output, instead I get some junk values like below
msg type