1

I want to export data from Splunk via rest API, I've been wondering whether there is a good "Splunk export" solution that can help me to send my query output/result to a third part application with the help of rest API

I have created below Splunk query, and now I want to export the output of my below query to third party application on regular interval, I have the API details of that application with me

index=main| timechart avg(page)

For Example API:

https://webhook.site/66e9b123-ee72-4621-98bb-4ab23a46d1e8

Happy to clarify more details if required.

Also, I checked Splunk official documentation for this where they suggested one solution to use via CURL command, if I go with curl how can I schedule to run on regular interval:

'''curl -k -u admin:changeme
https://localhost:8089/services/search/jobs/ -d search="search sourcetype=access_* earliest=-7d"'''

SherKhan
  • 13
  • 2

1 Answers1

1

You if you need the results exported at regular intervals you can schedule your search in Splunk and then retrieve the results from the REST API using search/jobs endpoint.

Get results from a saved search

curl -k -u USERMNAME https://MY_SPLUNK_HOST:8089/servicesNS/USERMNAME/YOUR_SPLUNK_APP/search/jobs/export -d search=" savedsearch YOUR_SAVED_SEARCH"

An alternative is to run your SPL search every time and retrieve data from the /search endpoints:

Issue call, get SID

curl -k -u USERMNAME https://MY_SPLUNK_HOST:8089/services/search/jobs/ -d search="search index=MY_INDEX earliest=-15m"

Check status, see if the search job completed

curl -u USERMNAME -k https://MY_SPLUNK_HOST:8089/services/search/jobs/160.obfuscated

Get results

curl -u USERMNAME -k https://MY_SPLUNK_HOST:8089/services/search/jobs/160.obfuscated/results/ --get -d output_mode=json
Honky Donkey
  • 419
  • 2
  • 5