I have a custom role which has limited capabilities, including rest_apps_view rest_properties_get search The role needs to run the following search via the REST API and write the ouptut to a text file on the originating server. | inputlookup xxx.csv | eval HASH=sha256(<FIELD B>+<FIELD C>) | table <FIELD A>, HASH I have created a user with the relevant role, and created a token for use in the curl request. If I run the above search in the UI it works fine, when I run the curl I get a FATAL response message - empty search. The curl I am using is: curl -k -X GET -H "Authorization: Bearer <token>" https://mysearchead.com:8089/servicesNS/<user>/<app>/search/jobs/export -d search='<my search>' -d output_mode=csv > output.csv So, my question is, which Splunk capabilities are required to be enabled for my custom role to successfully make a REST API call to the search/jobs/export endpoint?
... View more