I'm trying to write data to outputlookup file by doing a REST API Call (by running a search query).
The below command works and writes data to outputlookup csv file when running the search directly from Splunk.
**| stats count as field1 | eval field1="host_abc;host_def"
| eval field1=split(field1,";")
| mvexpand field1 | rex field=field1 "(?<host>.*)"
| table host | outputlookup test_maintenance.csv**
But this is not working when executing the above search using REST API.
Getting the below error "Unbalanced quotes" when running the below command
curl -k -u admin:admin https://splunksearchnode:8089/servicesNS/admin/search/jobs/export -d search="| stats count as field1 | eval field1=\"host_abc;host_def\" | eval field1=split(field1,\";\") | mvexpand field1 | rex field=field1 \"(?<host>.*)\" | table host | outputlookup test_maintenance.csv"
Getting the below error when running the below command
Error : Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at ''host_abc'.
curl -k -u admin:admin https://splunksearchnode:8089/servicesNS/admin/search/jobs/export -d search='| stats count as field1 | eval field1=\"host_abc;host_def\" | eval field1=split(field1,\";\") | mvexpand field1 | rex field=field1 \"(?<host>.*)\" | table host | outputlookup test_maintenance.csv'