I have a custom role which has limited capabilities, including
The role needs to run the following search via the REST API and write the ouptut to a text file on the originating server.
| inputlookup xxx.csv | eval HASH=sha256(<FIELD B>+<FIELD C>) | table <FIELD A>, HASH
I have created a user with the relevant role, and created a token for use in the curl request.
If I run the above search in the UI it works fine, when I run the curl I get a FATAL response message - empty search.
The curl I am using is:
curl -k -X GET -H "Authorization: Bearer <token>" https://mysearchead.com:8089/servicesNS/<user>/<app>/search/jobs/export -d search='<my search>' -d output_mode=csv > output.csv
So, my question is, which Splunk capabilities are required to be enabled for my custom role to successfully make a REST API call to the search/jobs/export endpoint?
Forgot to state: Splunk Enterprise 8.1.0.1