how to get searchid using Rest Api to retrieve res...

venkateshnarla · ‎07-12-2013

Hi,

I wanted to get the results of a saved search from Splunk using the {search_id} and I am using the search_id from "/Splunk/var/run/splunk/dispatch/" and pass it to the curl statement to get the results.

This is how my curl statement looks:

curl -u abc:abc localhost:8089/search_id_025343/results --get -d f=source -d f=sourcetype -d f=uri -d output_mode="json"-d count=10 -d earliest="-15min" >results.txt

But in this path /Applications/Splunk/bin/scripts There is a file echo.sh that has the following statements:

# simple script that writes parameters 0-7 to $SPLUNK_HOME/bin/scripts/echo_output.txt
read sessionKey
echo "'$0' '$1' '$2' '$3' '$4' '$5' '$6' '$7' '$8' '$sessionKey'" >> "$SPLUNK_HOME/bin/scripts/echo_output.txt"

How do I get $search_id$ as one of the argument to the script instead of taking it manually and putting in the curl statement. I would like to know if there is any way that i can use $search_id similar to $sessionKey in my curl statement which will get results of the search_id.

I have tried these ways
1. curl -u abc:abc localhost:8089/services/search/jobs/"$8"/results --get -d f=source -d f=sourcetype -d f=uri -d output_mode="json"-d count=10 -d earliest="-15min" >results.txt

read sessionKey
read search_id
echo "'$0' '$1' '$2' '$3' '$4' '$5' '$6' '$7' '$8' '$sessionKey' '$search_id$'" >> "$SPLUNK_HOME/bin/scripts/echo_output.txt" but was not successful.

Can any body help me or guide me to be able to get search_id dynamically in the curl statement to retrieve results.

Thank you.

venkateshnarla · ‎07-15-2013

I referred to the above one and created my curl statement as below in a shell script:

curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/search/saved/searches/alert1/dispatch -d trigger_actions=1 -d output_mode=xml >>"$SPLUNK_HOME/bin/scripts/test9.txt"

alert1 Refers to the Alert_name that is to be triggered and its search query is : "99 host="mac-123" source="/Users/mac-123/splunk-api/123.csv"

I get the search_ids as followed when i ever i try to input some data to a file which is indexed by splunk continuosly:

rt_scheduler_adminsearchalert1_at_1373911620_68

<?xml version="1.0" encoding="UTF-8"?>

rt_scheduleradminsearchalert1_at_1373911620_68

<?xml version="1.0" encoding="UTF-8"?>

rt_scheduleradminsearch_alert1_at_1373911620_68

This is how the search_id look in "/var/run/splunk/dispatch/ls -l"

rt_scheduler_adminsearchalert1_at_1373911620_68
rt_scheduleradminsearchalert1_at_1373911620_68.0
rt_scheduleradminsearch_alert1_at_1373911620_68.1

I am confused here why the sid are not sequential but 68.0,68.1,68.2 and so on... Can any one help me to understand it more better and why I am not getting one Search_id when ever the alert is fired but getting sids versioned as .0,.1,.2 and so on..

If I use saved search - name "99" instead of alert1 in the curl statement

curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/search/saved/searches/99/dispatch -d trigger_actions=1 -d output_mode=xml >>"$SPLUNK_HOME/bin/scripts/test10.txt"

I get the search_id as followed:

<?xml version="1.0" encoding="UTF-8"?>

admin_adminsearch_99_at_1373921869_113

This is how the search_id look in "/var/run/splunk/dispatch/ls -l"

admin_adminsearch_99_at_1373921725_112

I am believing that the dispatch is creating a series of events for the alert that is configured but it ties the results to the saved search that constantly runs.. Please help me to understand this and I wanted to get the results by using the seach_id from the dispatch.

Thank you

LukeMurphey · ‎07-12-2013

Use the /saved/searches/{name}/dispatch first to kick off the search first. That call returns a search ID that can be used to get the results.

venkateshnarla · ‎07-15-2013

Thanks LukeMurphy...

how to get searchid using Rest Api to retrieve results from saved search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life