Solved: Re: REST API returns empty results when I execute ...

rajiv_kumar · ‎04-18-2011

I am trying to fetch results using REST API from Saved Search and getting empty response. My command is like this...
curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d"search=search sourcetype="estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl"

Got response sid in below XML format:1303166708.128

I used this sid in the below command
curl -u admin:changeme -k https://tus1crsappdex215:8089/services/search/jobs/1303166708.128/results/

Please advise me if I am doing something wrong.

Stephen_Sorkin · ‎04-18-2011

You have at least one problem here with your POST. You have to escape the = with %3d in the sourcetype=...

Could you try:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl'

You can also try the "export" mode:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl'

This gives you the results directly. If you want CSV out, you can run this as:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl&output_mode=csv'

View solution in original post

Stephen_Sorkin · ‎04-19-2011

For export, output_mode=csv is a new addition to 4.2. You will have to upgrade to get this. You can replace export with "oneshot" to get csv out in 4.1.x.

rajiv_kumar · ‎04-19-2011

It worked. But one issue is still there. I am trying to export csv format file and it seems always returning xml format.
Here is my command

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"ebe_abs" PSN earliest%3d-4d&output_mode=csv' >> exporteddata.csv

Can you please advise on this.

Thanks,
Rajiv

rajiv_kumar · ‎04-19-2011

Great. It worked.
Thanks Stephen!

Stephen_Sorkin · ‎04-18-2011

You have at least one problem here with your POST. You have to escape the = with %3d in the sourcetype=...

Could you try:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl'

You can also try the "export" mode:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl'

This gives you the results directly. If you want CSV out, you can run this as:

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/export -d'search=search sourcetype%3d"estore-om_app" com.symantec.ecom.ep.service.misc.impl.SymEpDataCenterServiceImpl&output_mode=csv'

Hamidreza74 · ‎04-24-2021

HI
I have this issue too, I check by search with your point but it not work
https://community.splunk.com/t5/forums/editpage/board-id/splunk-search/message-id/155815
can you help me?

rajiv_kumar · ‎04-19-2011

It worked. Thanks Stephen!

REST API returns empty results when I execute the command in Linux

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?