Hi - This trick is to set the namespace in order to pull back the saved search that you want. Also - there is a "bug" in our docs for pulling back metadata of a saved search. NOTE: in the example below I am not using a : to pull back the description of the saved search. We are working to get that corrected ASAP.
Here is the snippet to create a namespace object and then to connect to splunk in that namespace.
ns = Splunk::namespace(:sharing => "app", :app => "testrubySS")
svc = Splunk::connect(:username => 'admin', :password => 'changed', :namespace => ns)
Here is my full example that you can use to test out and see if your namespace has been limited. For example, when you list saved searches prior to applying the namespace you will see everything that is system.
After applying namespace you will just see the saved searches in that app.
require 'splunk-sdk-ruby'
class MyTest
def initialize()
end
def run
ns = Splunk::namespace(:sharing => "app", :app => "testrubySS")
svc = Splunk::connect(:username => 'admin', :password => 'changed', :namespace => ns)
svc.apps.each do |a|
puts "App name is: #{a.name}"
end
svc.saved_searches.each do |saved_search|
puts "Saved search is: #{saved_search.name}"
end
ruby_ss = svc.saved_searches.fetch("my_ruby_search")
if ruby_ss.nil?
puts "COULDN'T GET THE SAVED SEARCH"
else
puts "Description for #{ruby_ss.fetch('description')}"
testJob = ruby_ss.dispatch()
end
end
end
test = MyTest.new()
test.run
... View more