functions/public/Export-SplunkData.ps1
<# .Synopsis Returns data from Splunk based on search parameters .DESCRIPTION Returns data from Splunk based on search parameters .PARAMETER Credential Service account username and password with access to the search index being used in Splunk .PARAMETER CloudDeploymentName Name of your Splunk cloud deployment name ie 'illinois' for illinois.splunkcloud.com .PARAMETER Search Splunk search query for the data you would like returned .PARAMETER OutputMode Format of the data to return. Default is CSV and CSVs will output as a file Valid values: (csv | json | json_cols | json_rows | xml) .PARAMETER ConsoleOutput Specify to return the data of the given format to the console. No file will be created. .PARAMETER App Specify the Splunk app to search if required .PARAMETER Timeout Number of minutes to wait for search results before timing out. Default is 5 .PARAMETER EarliestTime Sets the earliest (inclusive), respectively, time bounds for the search. Can be a UTC time or a time relative to now ex: -5h for 5 hours ago. 1 indicates all time. Default is 30m ago .PARAMETER LatestTime Sets the latest (exclusive), respectively, time bounds for the search. Can be a UTC time or a time relative to now ex: -30m for 30m ago. Default is now .EXAMPLE Export-SplunkData -CloudDeploymentName 'illinois' -Search 'index=test test_event' -Credential $Credential -ConsoleOutput -EarliestTime '-15m' .EXAMPLE Export-SplunkData -CloudDeploymentName 'illinois' -Search 'index=test | append [ | inputlookup test ]' -Credential $Credential -App 'illinois-urbana-security-techsvc-APP' Note like in the above example, search commands that begin with | such as inputlookup and mstats must be fed a dummy index and an append to complete the search succesfully with the API. https://github.com/splunk/splunk-tableau-wdc/issues/6#issuecomment-499229594 #> function Export-SplunkData { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [System.Management.Automation.PSCredential]$Credential, [Parameter(Mandatory=$true)] [String]$CloudDeploymentName, [Parameter(Mandatory=$true)] [String]$Search, [ValidateSet("csv","json","json_cols","json_rows","xml")] [String]$OutputMode = "csv", [Switch]$ConsoleOutput, [String]$App, [Int]$Timeout = 5, [String]$EarliestTime = '-30m', [String]$LatestTime ) process { #Set the Base URI depending on whether or not an app was specified If($App){ $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/servicesNS/$($Credential.UserName)/$($App)" } Else{ $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/services" } #Create the search, this returns an SID for the search $IVRSplat = @{ Credential = $Credential Method = 'POST' URI = "$($BaseURI)/search/jobs" Body = @{ search = "search $($Search)" output_mode = 'json' earliest_time = $EarliestTime latest_time = $LatestTime } } $SearchJob = Invoke-RestMethod @IVRSplat #Check the status of the search to ensure it is finished before we get the results $IVRSplat = @{ Credential = $Credential Method = 'GET' URI = "$($BaseURI)/search/jobs/$($SearchJob.sid)/" Body = @{ output_mode = 'json' } } $SearchMetaData = Invoke-RestMethod @IVRSplat $Status = $SearchMetaData.entry.content.dispatchState $Seconds = 0 #Wait for the search to parse and keep checking its status until it's no longer running or the timeout elapses While((($Status -eq 'PARSING') -or ($Status -eq 'RUNNING')) -and ($Seconds -le ($Timeout*60))){ Start-Sleep -Seconds 5 $Seconds += 5 Write-Verbose -Message 'Search is still running...' $SearchMetaData = Invoke-RestMethod @IVRSplat $Status = $SearchMetaData.entry.content.dispatchState } If($Seconds -ge ($Timeout*60)){ If($Status -eq 'RUNNING'){ Throw "Search timeout has elapsed while the search was still running. Try increasing the timeout." } Else{ Throw "Search timeout has elapsed. Try increasing the timeout. The status of your search at the time of this error was: $($Status)" } } If($Status -eq 'FAILED'){ Throw "Search has FAILED. `n $($SearchMetaData.entry.Content.messages.text)" } ElseIf($Status -ne 'DONE'){ Throw "Search did not complete successfully. The status of your search is $($Status). `n $($SearchMetaData.entry.Content.messages.text)" } #Now that the search is 'DONE', use the SID for our search to get the results $IVRSplat = @{ Credential = $Credential Method = 'GET' URI = "$($BaseURI)/search/jobs/$($SearchJob.sid)/results" Body = @{ output_mode = $OutputMode } } $Results = Invoke-RestMethod @IVRSplat #Return results If(!($Results)){ Write-Output -InputObject "No results" } ElseIf($ConsoleOutput){ $Results } ElseIf($OutputMode -eq 'csv'){ $Results | Out-File -Path ".\SearchResults_$(Get-Date -Format yyyyMMdd-HHmmss).csv" Write-Output -InputObject "SearchResults_$(Get-Date -Format yyyyMMdd-HHmmss).csv" } ElseIf($OutputMode -like 'json*'){ $Results | Out-File -Path ".\SearchResults_$(Get-Date -Format yyyyMMdd-HHmmss).json" Write-Output -InputObject "SearchResults_$(Get-Date -Format yyyyMMdd-HHmmss).json" } ElseIf($OutputMode -eq 'xml'){ $Results | Out-File -Path ".\SearchResults_$(Get-Date -Format yyyyMMdd-HHmmss).xml" Write-Output -InputObject "SearchResults_$(Get-Date -Format yyyyMMdd-HHmmss).xml" } else{ $Results | Out-File -Path ".\SearchResults_$(Get-Date -Format yyyyMMdd-HHmmss)" Write-Output -InputObject "SearchResults_$(Get-Date -Format yyyyMMdd-HHmmss)" } } end { } } |