Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to run a saved search with SDK?

zacharysyoung
Explorer
‎06-06-2012 12:42 PM

I'm new to Splunk, and am trying to run a saved search with the Python SDK, with the client module (not binding), only I don't understand the SDK model well enough (probably don't know Splunk itself well enough either). I can list all saved searches with saved_searches.py or a particular search with saved_search/saved_search.py, and I can run a one-off search:

job  = splunk.jobs.create('search sourcetype=foo earliest=-60m')

but I don't see an interface for running a saved search.

Can the client module run a saved search?

Thank you,

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

apruneda_splunk
Splunk Employee
Splunk Employee
‎06-06-2012 01:17 PM

Yes it certainly can. To run a saved search, use splunklib.client.SavedSearch.dispatch() (see the reference docs here: http://docs.splunk.com/DocumentationStatic/PythonSDK/0.8Beta/client.html#splunklib.client.SavedSearc... ).

The saved search example shows how to list your saved searches, but not how to run one. BUT, you can see an example of how to run a saved search in the unit tests for saved_search (/test/test_saved_search.py). Look for "def test_dispatch(self)", which tests various things such as enumerating saved searches, deleting one, creating one, but also running one. This part of the test case runs a search, gets back a job ID, waits for the job to finish, gets the results: 

    ...
    job = saved_search.dispatch()
    testlib.wait(job, lambda job: bool(int(job['isDone'])))
    job.results().close()
    job.cancel()
    ...

In general, the unit tests are a good place to look for examples of how to use the API.

View solution in original post

Reply
Solved! Jump to solution
Solution

apruneda_splunk
Splunk Employee
Splunk Employee
‎06-06-2012 01:17 PM

Yes it certainly can. To run a saved search, use splunklib.client.SavedSearch.dispatch() (see the reference docs here: http://docs.splunk.com/DocumentationStatic/PythonSDK/0.8Beta/client.html#splunklib.client.SavedSearc... ).

The saved search example shows how to list your saved searches, but not how to run one. BUT, you can see an example of how to run a saved search in the unit tests for saved_search (/test/test_saved_search.py). Look for "def test_dispatch(self)", which tests various things such as enumerating saved searches, deleting one, creating one, but also running one. This part of the test case runs a search, gets back a job ID, waits for the job to finish, gets the results: 

    ...
    job = saved_search.dispatch()
    testlib.wait(job, lambda job: bool(int(job['isDone'])))
    job.results().close()
    job.cancel()
    ...

In general, the unit tests are a good place to look for examples of how to use the API.

Reply
Solved! Jump to solution

zacharysyoung
Explorer
‎06-06-2012 01:59 PM

Thank you, Apruneda. This is exactly the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...