Getting Data In

how to export results from a saved search by name and not by job_id using Splunk's REST API?

shacham
Explorer

I have a saved search that runs every day.
I want to get the results with the Splunk REST API.

I found that I can get the results with the job_id that I got from "inspect job":

curl --get -k -u admin:myuser -d "output_mode=csv"  https://searcher-job:8089/services/search/jobs/1234.56789/results > results.csv

But I'm afraid that each day the job_id will change (or each time I will add changes) , and then my service won't work. I want to get the same result with the saved search name.

1 Solution

jacobwilkins
Communicator

Make sure your search is scheduled.

Then, you hit saved/searches/{name}/history to get the SID. You'll have to parse the response.

Then, you hit /services/search/jobs/{SID}/results to get your results.

Two step process.

View solution in original post

jacobwilkins
Communicator

Make sure your search is scheduled.

Then, you hit saved/searches/{name}/history to get the SID. You'll have to parse the response.

Then, you hit /services/search/jobs/{SID}/results to get your results.

Two step process.

shacham
Explorer

Thanks, it worked for me.

For those of you trying to find the sid and parse it, you will find it here:

<title>scheduler__d2ViX21vYmlsZQ__k2_at_1437056820_11162</title>
<id>https://searcher-job:8089/servicesNS/nobody/web_mobile/search/jobs/scheduler__d2ViX21vYmlsZQ__k2_at_1437056820_11162</id>

The SID here is = scheduler_d2ViX21vYmlsZQ_k2_at_1437056820_11162

Also, if you get only 100 results, this is the defualt and you can remove it by adding:
-d "count=0"
to the results command.

vandelin
New Member

I would like to know how you send the curl history command on a saved search and then capture just the SID and then have it execute a {sid}/results, all in one shot , i know its a two step process but to automate this I will need to run history capture SID then run results on the SID.

Any thoughts

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...