- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Does a saved search get a new sid each time it run...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does a saved search get a new sid each time it runs?
I'm trying to use the REST API to get the results of a search. I need to run a saved search daily and then extract the results in XML or JSON format.
The issue is with the sid. I believe each run of the search produces a new sid, so how am I supposed to code my API call if the sid changes with each daily execution?
As I understand it, I could either schedule the search in the UI or I could call the 'saved/searches/{name}/dispatch' API endpoint, which would kick off the search (and create a unique sid). Then I could call the 'search/jobs/{search_id}/events' API endpoint to get the events.
Either way, retrieving the events each day has to be done with a variable sid (or am I understanding this wrong?).
Any suggestions or advice on how to accomplish this would be greatly appreciated.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are using the wrong REST endpoint, use this one, which allows you to access a list of SIDs by {name}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It does change; try this search:
|rest/servicesNS/nobody/<Your App Name Here>/saved/searches/ splunk_server=local
| search title="*Your Filter Here (Or Not)*" AND is_scheduled=1 AND next_scheduled_time="2*"
| table title | map search="|rest/servicesNS/nobody/<Your App Name Here>//saved/searches/$title$/history splunk_server=local | rename title AS SID | eval title=\"$title$\" | where match(SID, \"^scheduler_\") AND isScheduled=1 AND isDone=1"
| table title SID published ttl
| eval published_epoch=strptime(published, "%Y-%m-%dT%H:%M:%S%z")
| eval daysAgo=round(relative_time(now(), "@d") - relative_time(published_epoch, "@d"))/(60*60*24)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have the same issue. I'm not able to get the results of the scheduled job as the sid of it changes every time when it runs. Can we give all the commands you mentioned in a single curl command?
--
Rajesh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have given you everything that you need. Just code it up. This search gives you the SID, then you call loadjob (or other REST APIs).
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
