Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Finding specific searches in splunk via Rest API calls

rmoreira
Splunk Employee
Splunk Employee
‎06-15-2012 08:54 AM

I know I can get all of the saved searches from the API, which I can use in order to get information about all searches. I can do this, but I would like to avoid having to parse through all of this information every time I want to access a search. I would like to know if there is a way to get the information for a specific search, including the search ID, given the search name. Currently I am using the following method in the API to get a search ID

            /services/search/jobs –d "search=search <search string>"

But is there a similar method where I can just call something like the following for a saved search, say saved_search_name, in order to get the search ID?

            /services/search/jobs –d savedSearch=saved_search_name

Thanks.

Tags (3)
Reply

ineeman
Splunk Employee
Splunk Employee
‎07-11-2012 06:42 PM

The REST API follows a collection/entity model, which just means it has a bunch of collections (search jobs, saved searches, apps, users, views, etc) and each one of those collections is just a list of entities (a single search job, a single saved searches).

For example, the endpoint for all saved searches:
/saved/searches

And the endpoint to get a particular saved search:
/saved/searches/{name}

And in particular for saved searches, if you want to get a list of their running history, you can do:
/saved/searches/{name}/history

Which will give you back job information for that particular saved search. You can read more about collections/entities here and specifically about /history here

Reply

ziegfried
Influencer
‎06-15-2012 02:13 PM

You can query for specific attributes of the jobs. Eg.

Search for Jobs of a saved search "My Search"

/services/search/jobs?search=label%3DMy%20Search

or with a name starting with "My Search"

/services/search/jobs?search=label%3DMy%20Search*

Note that the value of the search parameter needs to be URL-encoded.

label=My Search* ==> label%3DMy%20Search*

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...