Splunk Cloud Platform

Search Manual

Export data using the Splunk REST API

Use the Splunk REST API to access data from the command line or a Web browser.

REST API access for Splunk Cloud Platform deployments

If you have a Splunk Cloud Platform deployment and you want to use the Splunk REST API, file a Support ticket requesting the API to be enabled. Free trial Splunk Cloud Platform accounts cannot access the REST API. See Using the REST API with Splunk Cloud Platform in the REST API Tutorials for more details.

Export data

Exporting data starts with running a search job to generate results. You can then export this search result data to a file.

  1. Run a search job using a POST to /services/search/jobs/. If you are using a custom time range, pass it in with the POST request.
    curl -k -u admin:changeme \
         https://localhost:8089/services/search/jobs/ -d search="search sourcetype=access_* earliest=-7d"
    
  2. Get the search job ID (SID) for the search. The /jobs endpoint returns an XML response including the <sid>, or search job ID.
    <?xml version='1.0' encoding='UTF-8'?>
    <response>
      <sid>1423855196.339</sid>
    </response>
    

    You can also get the search job ID by viewing the job in the Search Job Inspector. in Splunk Web. Navigate to Activity > Jobs to open the Job Manager. Locate the search job that you just ran and click Inspect. The Search Job Inspector opens in a separate window. See View the properties of a search job.

  3. Use a GET request on the /results endpoint to export the search results to a file. Ensure that you do the following in the GET request:
    • Identify your object endpoints.
      To see a list of currently available object endpoints for your user, within your app, navigate to https://localhost:8089/servicesNS/<user>/<app>/.
      For example:
      https://localhost:8089/servicesNS/admin/search/saved/searches/
      
    • Identify the search job user and app.
      The following example defines <user> as admin and <app> as search.
    • Identify an output format.
      Use the output_mode parameter to specify one of the following available output formats. Use lower case for the format name, as shown here.
      atom | csv | json | json_cols | json_rows | raw | xml
      

      This example exports search results to a JSON file.

      curl -u admin:changeme \
           -k https://localhost:8089/servicesNS/admin/search/search/jobs/1423855196.339/results/ \
           --get -d output_mode=json -d count=5
      

See also

For more details about the /jobs and /export endpoints, see the following information in the REST API Reference.


See also Creating searches using the REST API in the REST API Tutorials.

Last modified on 26 October, 2021
Export data using the CLI   Export data using the Splunk SDKs

This documentation applies to the following versions of Splunk Cloud Platform: 9.3.2408, 9.0.2205, 9.0.2208, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters