I am VERY new to using Splunk and have a very basic question. Is it possible to use the REST API to query Splunk without using an already saved search?
Thanks.
You can specify the search string as a parameter to the export endpoint and get the results without having a saved search on the server.
curl -ku admin:changeme https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index%3D_internal | head 3" -d output_mode=csv
output_mode is an optional parameter. With xml being the default, you can also specify json, csv or xml.
You can also use one of the Splunk SDKs if you want to stick to your choice of language. SDKs make it easier for you to talk to Splunk.
-Neeraj.
来源:https://stackoverflow.com/questions/13368407/search-splunk-with-rest-api-without-a-saved-search