We just upgraded from 6.2.2 to 6.3.3 and see a difference with how data can be pulled out of Splunk using curl as compared to the UI and then exporting data.
I can run my search in the UI and I table the output and then I can export the data to csv and all fields are in the result set even if the field is null. Also the order of fields after | table is preserved in the exported data.
If I run the same search from the cli using curl I get only the fields with data and the order of the fields is not preserved.
Here is my search using curl
curl -k -u test https://xxx.xxx.xxx.xxx.com:8089/servicesNS/admin/search/search/jobs/export -d search="search index=test_prd MARCHEX_POSTBACK sourcetype=prd_test_tomcat_out earliest=-30d latest=now | sort -_time | rename _time AS time |
convert ctime(time) | table time,accountId,groupId,campaignId,callId,callerNpa,callerPhoneNumber,callerName,utcCallStart,utcCallEnd,
callRecorded,callStatus,ringDuration,inboundExt,keyword,reversLookupName,callerAddress,callerCity,callerState,callerZip,forwardNo,an
swerOffset,assignedTo" -d output_mode=csv -o /home/test/test.csv
Any way to get the same result using curl? We need to automate extracting this data to feed a ETL job for another tool so we need the same result as the UI.
Any options?
↧