No, the search/jobs endpoint doesn't provide that info. You'd have to take the report's ID built from the label, user, and app returned by search/jobs and look at the saved/searches endpoint as you found out already 🙂
Take a look at this example to illustrate:
| rest /services/search/jobs search="isSavedSearch=1" | rename eai:acl.app as app | fields author app label sid | map search="rest /servicesNS/$author$/$app$/saved/searches/$label$ | fields title action.script action.script.filename | eval sid=\"$sid$\""
That's issue. So I am not able to pick them in map searching!!
Doesn't match how?
Yes! But "isSavedSearch=1" count(360) doesn't match with "|rest /services/saved/searches" count(90).
The search I posted is a working example over here, so posting another doesn't seem useful to me.
Instead, you should work your way to what's going wrong on your end. Start with this:
| rest /services/saved/searches
That should list all your saved searches. Then add a user and the app:
| rest /servicesNS/user/app/saved/searches
That should list saved searches in that app. Then you add a saved search label to the end, and you should get details for that saved search. Confirm that's returned by the jobs call if it's a scheduled search.
I hard-coded "author","app" and "label". I just mentioned as wildcard. Is this right way to collect from savedsearch ? Any example provided helps a lot.
Thank you again!!
I don't think wildcards work there.
Yes! I tried. But I didn't get any output.
|rest/servicesNS/* /* /saved/searches/* | fields title action.script action.script.filename |
Does running a single REST call for a saved search work based on values taken from the jobs call manually?
I did for 500. But no result.
Heh, it appears map
may not like maxsearches=0
for an infinite number of searches, try setting it to 1000 instead.
yes, I did that. But it is returning "None"/No Results found.
By default the map
command will only execute ten searches, see http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/map for reference. Add maxsearches=0
to disable the maximum entirely.
Consider filtering before the map, for example by app or search name - unless you want to see all 354 entries.
Thanks for the immediate reply. I understood the logic.
But I got the following error:
"The search result count (354) exceeds maximum (10), using max. To override it, set maxsearches appropriately."
I'm new to splunk search. Any help would be great.
Thank you again!!