How can I access the results of a saved search ind...

BenjaminWyatt · ‎01-29-2013

Hi everyone,
Here's my situation. I have a saved search that runs every 15 minutes or so. We have an external application that needs to access the results of that saved search after it runs. Now, I know this can be done by making a call to the REST API, getting the SID for the search job, and then using the SID to make another API call to make the results.

However, this seems inefficient. Because the saved search runs again every 15 minutes, the SID changes every 15 minutes, and the external application has to poll Splunk again to find out the new SID. Is there a way to allow my application to access the last results of this particular saved search, regardless of what the SID of the last job was?

Neeraj_Luthra · ‎01-29-2013

You can access the history on the saved search which will give you a collection of jobs for it. The first element in the collection, if size>0, is the most recent job.

Are you using any of the Splunk SDKs (Java, JavaScript, Python)? It might be easier to go through an SDK if you are developing in any of these languages. More documentation available at http://dev.splunk.com/view/sdks/SP-CAAADP7.

How can I access the results of a saved search independently of the job's SID?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...