Splunk API Output Fields

zqureshi · ‎04-01-2020

Hello All, when I am using the Splunk API I am getting different fields as compared to the Splunk UI. How can we get similar results (fields) as we are able to get from Splunk UI. I have tried the "rf" attribute also but no luck.

This is the call:

curl -k -u u:p https://splunk:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message="j-report" appId=\"static--logger\" items.data.f_id != \"\" OR items.inst_id!= \"\" earliest=03/30/2020:0:0:0 latest=03/31/2020:0:0:0" -d rf=* -d output_mode=csv -o test.csv

zqureshi · ‎04-02-2020

Some More Details:

When I am outputting the search from Splunk UI I am getting following fields:

_raw,_time,
app,appId,
correlationId,
eventtype,
host,
index,
items.
access_type,
items.article_id,
items.data.fed_id,
items.eventType,
items.fed_id,
items.institution_id,
items.journal_id,
items.logLevel,
items.referer_url,
items.request_date,
items.request_method,
items.resource_type,
items.session_id,
items.status_code,
items.time,
items.url,
items.userIp,
items.user_agent,
items.user_id,
items.user_name,
level,
linecount,
message,
product,
punct,
source,
sourcetype,
splunk_server,
splunk_server_group,
tag,tag::eventtype,vendor

What I am getting output of Splunk API the structure includes only a subset of fields which is:

_serial
_time
source
sourcetype
host
index
splunk_server
_raw

I would greatly appreciate how to mimic the Splunk UI output with Splunk API. Your help would be greatly appreciated.

Splunk API Output Fields

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk