Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk API: the proper way to run a saved search

brettcave
Builder
‎04-25-2013 07:51 AM

I have recently starting working on an integration with Splunk via the API, and am unclear on how to run a saved search - there are a number of ways it seems to do this, and so far my integration is triggering search jobs with no results.

I have been using http://splunk-base.splunk.com/answers/8945/how-to-start-a-saved-search-using-rest-api and http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches for reference. From this, it seems like an effective way of searching is:

  1. Authenticate and get a session ID
  2. Create the Authorization header from the authentication request
  3. POST to the search/jobs endpoint to schedule a search job
  4. Poll the search/jobs/jobId to wait for it to finish (GET, and grab the dispatchState element)
  5. Retrieve the results via search/jobs/jobId/results

In Step 3, I am posting the following body to "/services/search/jobs" (not using /serviceNS/myUsername/...):

search=savedsearch MyCustomSearch

If I log into the job manager, I can see the job. There's a large number of events matched, but no results. So then I thought I would try a Web UI search - I have tried the following 2 variations:

| savedsearch MyCustomSearch
| savedsearch "MyCustomSearch"

But both of those searches return no results. However, I can click the saved search from the "Searches & Reports" menu and get valid results. When I do that, I get the following URI that loads:

/en-US/app/search/flashtimeline?s=%2FservicesNS%2Fnobody%2Fsearch%2Fsaved%2Fsearches%2FMyCustomSearch

And this load the correct results.

When I look at the job manager, I see 2 variations on the search that don't work.

  1. | savedsearch "MyCustomSearch" events: correct number of events, but no results, triggered by either the API call or by manually quering | savedsearch MyCustomSearch.
  2. MyCustomSearch events: correct number of events, and correct results, triggered by clicking the report in the Web UI menu

What is the correct way to invoke the saved search via the API and get correct results?

Resources used: http://splunk-base.splunk.com/answers/8945/how-to-start-a-saved-search-using-rest-api http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches

Tags (2)
Reply

brettcave
Builder
‎04-26-2013 12:58 AM

Looks like this post helped me get it right: http://splunk-base.splunk.com/answers/50636/finding-specific-searches-in-splunk-via-rest-api-calls

To trigger the search: POST /services/saved/searches/MyCustomSearch/dispatch -d force_dispatch=true. The force_dispatch is optional.

I can then poll the status of the returned SID (still to be tested)

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...