Hi Splunk Pro's,
I'm looking for a way to grab processed, sorted data via a REST API call. For instance when logged into the Splunk search dashboard, I can get a sorted list of data based on an event that I'm able to specify:
"event=spamreport | top limit=50 userid | table userid, count"
which processes the raw log data and returns an organized list of userid's sorted by their total spam report count.
Is there a way to get this pre-processed, sorted data via a REST API call? Using the same search string above, I've tried both synchronously returning results with /search/search/jobs/export as well as asynchronously returning results with /search/search/jobs to create a job and /search/search/jobs/JOBID/results to retrieve the data once the job is complete. However, both approaches only give me the raw data, not the sorted list that I can see from the web search dashboard. I've tried playing with the output_mode, but no option that I'm aware of produces the desired result.
Are there any options other than a REST API call? I'm looking for something that is easily doable from the command line or a script and that doesn't require running the search from the same server that contains the log data.
Thanks very much!
... View more