Reporting

How to construct hyperlink from sid

wang
Path Finder

I am using REST API search endpoints to invoke a search. When the search completes, I get a SID from the json response. I then create an email with the search result. In additional, I want to include a hyperlink in the email that will take me to splunk displaying the same result (with the same criteria including the time window). Can I use the SID to do this (as long as the SID hasn't expired)?

Tags (2)
0 Karma

gaurav_maniar
Builder

Hi Wang,

Try the following URL, to open Search page with sid
It will return the same results as the original query and for the same time duration

http://localhost:8000/en-US/app/search/search?sid=your_sid

Please accept the answer if it works for you.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @wang,

You can achieve this, while creating new job using REST API please provide unique id to search job so that will act as SID

Something like curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal | stats count by host" -d id=mysearch_31102018114300

And after that you can create hyperlink with email so hyperlink should be like this http[s]://SEARCH_HEAD:PORT/app/APP_NAME/search?q=%7Cloadjob%20SID

Based on example I have provided with id=mysearch_31102018114300, hyperlink should be like this http[s]://SEARCH_HEAD:PORT/app/APP_NAME/search?q=%7Cloadjob%20mysearch_31102018114300

As I was not able to fetch latestime from job ID so we can't provide earliest and latest time in hyperlink however when you use loadjob it will exactly load same result when job ran with given timeframe.

0 Karma

wang
Path Finder

I tried this with the SID I got back from the response:

https://SPLUNK_HOST/en-US/app/search/search?q=%7Cloadjob%201541017578.20031_E86B55B0-BB4E-4D2E-9BA0-...

And got this error:
Error in 'SearchOperator:loadjob': The search artifact for job '1541017578.20031_E86B55B0-BB4E-4D2E-9BA0-23B22288B1CA' is not available because we cannot proxy an ad-hoc job in a searchhead cluster. Please run the search locally.

What does this mean?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Oh, I didn't know that you are running Search Head Cluster, in SHC adhoc job will not be replicated to other members in same cluster and in your case job when you try to construct URL and hit that LB is redirecting it to other member on which job didn't run.

You can try something like this but I am not sure whether this will work or not, when you will fetch data from job with SID, you will able to find search head from searchProviders, when I ran 2-3 jobs generally Search Head will be at first position and Indexers will start from 2nd position. If this will be consistent in all jobs then you can fetch Search Head from there construct hyperlink with Search Head directly (Unfortunately you will not able to use VIP configured for SHC members in hyperlink.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...