Export data using the Splunk REST API
Use the Splunk REST API to access data from the command line or a Web browser.
REST API access for Splunk Cloud Platform deployments
If you have a Splunk Cloud Platform deployment and you want to use the Splunk REST API, file a Support ticket requesting the API to be enabled. Free trial Splunk Cloud Platform accounts cannot access the REST API. See Using the REST API with Splunk Cloud Platform in the REST API Tutorials for more details.
Export data
Exporting data starts with running a search job to generate results. You can then export this search result data to a file.
- Run a search job using a POST to
/services/search/jobs/
. If you are using a custom time range, pass it in with the POST request.curl -k -u admin:changeme \ https://localhost:8089/services/search/jobs/ -d search="search sourcetype=access_* earliest=-7d"
- Get the search job ID (SID) for the search.
The
/jobs
endpoint returns an XML response including the<sid>
, or search job ID.<?xml version='1.0' encoding='UTF-8'?> <response> <sid>1423855196.339</sid> </response>
You can also get the search job ID by viewing the job in the Search Job Inspector. in Splunk Web. Navigate to Activity > Jobs to open the Job Manager. Locate the search job that you just ran and click Inspect. The Search Job Inspector opens in a separate window. See View the properties of a search job.
- Use a GET request on the
/results
endpoint to export the search results to a file. Ensure that you do the following in the GET request:- Identify your object endpoints.
To see a list of currently available object endpoints for your user, within your app, navigate tohttps://localhost:8089/servicesNS/<user>/<app>/
.
For example:https://localhost:8089/servicesNS/admin/search/saved/searches/
- Identify the search job user and app.
The following example defines<user>
asadmin
and<app>
assearch
. - Identify an output format.
Use theoutput_mode
parameter to specify one of the following available output formats. Use lower case for the format name, as shown here.atom | csv | json | json_cols | json_rows | raw | xml
This example exports search results to a JSON file.
curl -u admin:changeme \ -k https://localhost:8089/servicesNS/admin/search/search/jobs/1423855196.339/results/ \ --get -d output_mode=json -d count=5
- Identify your object endpoints.
See also
For more details about the /jobs
and /export
endpoints, see the following information in the REST API Reference.
See also Creating searches using the REST API in the REST API Tutorials.
Export data using the CLI | Export data using the Splunk SDKs |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 9.0.2205, 9.0.2208, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!