I want to export data from Splunk via rest API, I've been wondering whether there is a good "Splunk export" solution that can help me to send my query output/result to a third part application with the help of rest API
I have created below Splunk query, and now I want to export the output of my below query to third party application on regular interval, I have the API details of that application with me
index=main| timechart avg(page)
For Example API:
https://webhook.site/66e9b123-ee72-4621-98bb-4ab23a46d1e8
Happy to clarify more details if required.
Also, I checked Splunk official documentation for this where they suggested one solution to use via CURL command, if I go with curl how can I schedule to run on regular interval:
'''curl -k -u admin:changeme
https://localhost:8089/services/search/jobs/ -d search="search sourcetype=access_* earliest=-7d"'''
You if you need the results exported at regular intervals you can schedule your search in Splunk and then retrieve the results from the REST API using search/jobs endpoint.
Get results from a saved search
curl -k -u USERMNAME https://MY_SPLUNK_HOST:8089/servicesNS/USERMNAME/YOUR_SPLUNK_APP/search/jobs/export -d search=" savedsearch YOUR_SAVED_SEARCH"
An alternative is to run your SPL search every time and retrieve data from the /search endpoints:
Issue call, get SID
curl -k -u USERMNAME https://MY_SPLUNK_HOST:8089/services/search/jobs/ -d search="search index=MY_INDEX earliest=-15m"
Check status, see if the search job completed
curl -u USERMNAME -k https://MY_SPLUNK_HOST:8089/services/search/jobs/160.obfuscated
Get results
curl -u USERMNAME -k https://MY_SPLUNK_HOST:8089/services/search/jobs/160.obfuscated/results/ --get -d output_mode=json