Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Splunk export search job using PowerShell
# Conversion of http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#search.2Fjobs.2Fexport
# example using curl, to PowerShell with Invoke-RestMethod cmdlet
#
# $ curl -k -u admin:changeme https://localhost:8089/services/search/jobs/export
# --data-urlencode search="search index=_internal | stats count by sourcetype"
# -d output_mode=json -d earliest="rt-5m" -d latest="rt"
$cred = Get-Credential
# This will allow for self-signed SSL certs to work
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
$server = 'server.company.com'
$url = "https://${server}:8089/services/search/jobs/export" # braces needed b/c the colon is otherwise a scope operator
$search = "search index=_internal | stats count by sourcetype" # Cmdlet handles urlencoding
$body = @{
search = $search
output_mode = "json"
earliest_time = "rt-5m"
latest_time = "rt"
}
Invoke-RestMethod -Method Post -Uri $url -Credential $cred -Body $body
@halr9000
Copy link
Author

halr9000 commented Sep 18, 2013

Needs to be parameterized. This was a quick one.

@fontora
Copy link

fontora commented Jan 29, 2020

Your blog post mentions not to do real time (never ends), but in this snippet you have it.
Might be worth updating.

@halr9000
Copy link
Author

halr9000 commented Jan 29, 2020

Thanks for the comment @fontora. That was intentional as this was a literal translation based on an example in the Splunk docs which itself uses real-time for whatever weird reason.

@halr9000
Copy link
Author

halr9000 commented Jan 29, 2020

Also, heck of a call back!

@fontora
Copy link

fontora commented Jan 29, 2020

Fair enough.

Doing a Windows deployment and came across the old blog post and in turn here.
Beat my head against the keyboard until I reread your post and fixed the RT issue :)

@vandelin586
Copy link

vandelin586 commented May 1, 2020

i would like to search a saved search or input a splunk query using powershell , can anyone help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment