Hi Everyone,
I am getting data to our monitoring dashboards from splunk. The dashboards display data for 2hr, 24hrs, 7 days. So I am able to provide earliest and latest time from rest api to the saved search. but also i have to change timechart span based on timeperiod(2hr:-span=5min , 24hrs:- span=1hr 7days:-span=1day). is there any away i can also pass span parameter to the saved search. so that i can minimize my saved searches from 20 to 5.
Great question - I had to go ask someone 🙂
The answer is that yes, you can. If you create saved search called "Foo" with a query like this:
index=_internal | timechart span=$span$ count
You can then execute it by executing a search like this:
| savedsearch Foo span=1d
So from the REST API perspective, you would make a POST request to the search/jobs
endpoint with the search
parameter set to the above query.
Hopefully that makes sense - let me know if you need nay more clarification.