I have a custom role which has limited capabilities, including  rest_apps_view rest_properties_get search The role needs to run the following search via the REST API and write the ouptut to a text file on the originating server. | inputlookup xxx.csv | eval HASH=sha256(<FIELD B>+<FIELD C>) | table <FIELD A>, HASH I have created a user with the relevant role, and created a token for use in the curl request. If I run the above search in the UI it works fine, when I run the curl I get a FATAL response message - empty search. The curl I am using is: curl -k -X GET -H "Authorization: Bearer <token>" https://mysearchead.com:8089/servicesNS/<user>/<app>/search/jobs/export -d search='<my search>' -d output_mode=csv > output.csv So, my question is, which Splunk capabilities are required to be enabled for my custom role to successfully make a REST API call to the search/jobs/export endpoint? ... View more

I have installed the forwarder in /opt/splunkforwarder and run the splunk start command. I get the license to read/accept, but when I accept the license I get the following message: This appears to be your first time running this version of Splunk. Could not open log file "/opt/splunkforwarder/var/log/splunk/first_install.log" for writing (2). When I check the splunkforwarder directory, there is no var folder... Any help would be appreciated. Dave ... View more