Search Splunk with Rest API without a saved search

2020-06-27 09:12发布

I am VERY new to using Splunk and have a very basic question. Is it possible to use the REST API to query Splunk without using an already saved search?

Thanks.

标签: splunk
1条回答
劳资没心,怎么记你
2楼-- · 2020-06-27 09:25

You can specify the search string as a parameter to the export endpoint and get the results without having a saved search on the server.

curl -ku admin:changeme https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index%3D_internal | head 3" -d output_mode=csv

output_mode is an optional parameter. With xml being the default, you can also specify json, csv or xml.

You can also use one of the Splunk SDKs if you want to stick to your choice of language. SDKs make it easier for you to talk to Splunk.

-Neeraj.

查看更多
登录 后发表回答