- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk API: the proper way to run a saved search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk API: the proper way to run a saved search
I have recently starting working on an integration with Splunk via the API, and am unclear on how to run a saved search - there are a number of ways it seems to do this, and so far my integration is triggering search jobs with no results.
I have been using http://splunk-base.splunk.com/answers/8945/how-to-start-a-saved-search-using-rest-api and http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches for reference. From this, it seems like an effective way of searching is:
- Authenticate and get a session ID
- Create the Authorization header from the authentication request
- POST to the search/jobs endpoint to schedule a search job
- Poll the search/jobs/jobId to wait for it to finish (GET, and grab the dispatchState element)
- Retrieve the results via search/jobs/jobId/results
In Step 3, I am posting the following body to "/services/search/jobs" (not using /serviceNS/myUsername/...):
search=savedsearch MyCustomSearch
If I log into the job manager, I can see the job. There's a large number of events matched, but no results. So then I thought I would try a Web UI search - I have tried the following 2 variations:
| savedsearch MyCustomSearch
| savedsearch "MyCustomSearch"
But both of those searches return no results. However, I can click the saved search from the "Searches & Reports" menu and get valid results. When I do that, I get the following URI that loads:
/en-US/app/search/flashtimeline?s=%2FservicesNS%2Fnobody%2Fsearch%2Fsaved%2Fsearches%2FMyCustomSearch
And this load the correct results.
When I look at the job manager, I see 2 variations on the search that don't work.
- | savedsearch "MyCustomSearch" events: correct number of events, but no results, triggered by either the API call or by manually quering
| savedsearch MyCustomSearch. - MyCustomSearch events: correct number of events, and correct results, triggered by clicking the report in the Web UI menu
What is the correct way to invoke the saved search via the API and get correct results?
Resources used: http://splunk-base.splunk.com/answers/8945/how-to-start-a-saved-search-using-rest-api http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like this post helped me get it right: http://splunk-base.splunk.com/answers/50636/finding-specific-searches-in-splunk-via-rest-api-calls
To trigger the search: POST /services/saved/searches/MyCustomSearch/dispatch -d force_dispatch=true. The force_dispatch is optional.
I can then poll the status of the returned SID (still to be tested)
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
