I have recently starting working on an integration with Splunk via the API, and am unclear on how to run a saved search - there are a number of ways it seems to do this, and so far my integration is triggering search jobs with no results.
I have been using http://splunk-base.splunk.com/answers/8945/how-to-start-a-saved-search-using-rest-api and http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches for reference. From this, it seems like an effective way of searching is:
In Step 3, I am posting the following body to "/services/search/jobs" (not using /serviceNS/myUsername/...):
search=savedsearch MyCustomSearch
If I log into the job manager, I can see the job. There's a large number of events matched, but no results. So then I thought I would try a Web UI search - I have tried the following 2 variations:
| savedsearch MyCustomSearch
| savedsearch "MyCustomSearch"
But both of those searches return no results. However, I can click the saved search from the "Searches & Reports" menu and get valid results. When I do that, I get the following URI that loads:
/en-US/app/search/flashtimeline?s=%2FservicesNS%2Fnobody%2Fsearch%2Fsaved%2Fsearches%2FMyCustomSearch
And this load the correct results.
When I look at the job manager, I see 2 variations on the search that don't work.
| savedsearch MyCustomSearch
.What is the correct way to invoke the saved search via the API and get correct results?
Resources used: http://splunk-base.splunk.com/answers/8945/how-to-start-a-saved-search-using-rest-api http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches
Looks like this post helped me get it right: http://splunk-base.splunk.com/answers/50636/finding-specific-searches-in-splunk-via-rest-api-calls
To trigger the search: POST /services/saved/searches/MyCustomSearch/dispatch -d force_dispatch=true
. The force_dispatch is optional.
I can then poll the status of the returned SID (still to be tested)