Search Splunk with Rest API without a saved search

El Guapo picture El Guapo · Nov 13, 2012 · Viewed 10.3k times · Source

I am VERY new to using Splunk and have a very basic question. Is it possible to use the REST API to query Splunk without using an already saved search?

Thanks.

Answer

Neeraj picture Neeraj · Nov 13, 2012

You can specify the search string as a parameter to the export endpoint and get the results without having a saved search on the server.

curl -ku admin:changeme https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index%3D_internal | head 3" -d output_mode=csv

output_mode is an optional parameter. With xml being the default, you can also specify json, csv or xml.

You can also use one of the Splunk SDKs if you want to stick to your choice of language. SDKs make it easier for you to talk to Splunk.

-Neeraj.