- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: how to get searchid using Rest Api to retrieve...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to get searchid using Rest Api to retrieve results from saved search
Hi,
I wanted to get the results of a saved search from Splunk using the {search_id} and I am using the search_id from "/Splunk/var/run/splunk/dispatch/" and pass it to the curl statement to get the results.
This is how my curl statement looks:
curl -u abc:abc localhost:8089/search_id_025343/results --get -d f=source -d f=sourcetype -d f=uri -d output_mode="json"-d count=10 -d earliest="-15min" >results.txt
But in this path /Applications/Splunk/bin/scripts There is a file echo.sh that has the following statements:
# simple script that writes parameters 0-7 to $SPLUNK_HOME/bin/scripts/echo_output.txt
read sessionKey
echo "'$0' '$1' '$2' '$3' '$4' '$5' '$6' '$7' '$8' '$sessionKey'" >> "$SPLUNK_HOME/bin/scripts/echo_output.txt"
How do I get $search_id$ as one of the argument to the script instead of taking it manually and putting in the curl statement. I would like to know if there is any way that i can use $search_id similar to $sessionKey in my curl statement which will get results of the search_id.
I have tried these ways
1. curl -u abc:abc localhost:8089/services/search/jobs/"$8"/results --get -d f=source -d f=sourcetype -d f=uri -d output_mode="json"-d count=10 -d earliest="-15min" >results.txt
read sessionKey
read search_id
echo "'$0' '$1' '$2' '$3' '$4' '$5' '$6' '$7' '$8' '$sessionKey' '$search_id$'" >> "$SPLUNK_HOME/bin/scripts/echo_output.txt" but was not successful.
Can any body help me or guide me to be able to get search_id dynamically in the curl statement to retrieve results.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I referred to the above one and created my curl statement as below in a shell script:
curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/search/saved/searches/alert1/dispatch -d trigger_actions=1 -d output_mode=xml >>"$SPLUNK_HOME/bin/scripts/test9.txt"
alert1 Refers to the Alert_name that is to be triggered and its search query is : "99 host="mac-123" source="/Users/mac-123/splunk-api/123.csv"
I get the search_ids as followed when i ever i try to input some data to a file which is indexed by splunk continuosly:
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
This is how the search_id look in "/var/run/splunk/dispatch/ls -l"
rt_scheduler_adminsearchalert1_at_1373911620_68
rt_scheduleradminsearchalert1_at_1373911620_68.0
rt_scheduleradminsearch_alert1_at_1373911620_68.1
I am confused here why the sid are not sequential but 68.0,68.1,68.2 and so on... Can any one help me to understand it more better and why I am not getting one Search_id when ever the alert is fired but getting sids versioned as .0,.1,.2 and so on..
If I use saved search - name "99" instead of alert1 in the curl statement
curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/search/saved/searches/99/dispatch -d trigger_actions=1 -d output_mode=xml >>"$SPLUNK_HOME/bin/scripts/test10.txt"
I get the search_id as followed:
<?xml version="1.0" encoding="UTF-8"?>
This is how the search_id look in "/var/run/splunk/dispatch/ls -l"
admin_adminsearch_99_at_1373921725_112
I am believing that the dispatch is creating a series of events for the alert that is configured but it ties the results to the saved search that constantly runs.. Please help me to understand this and I wanted to get the results by using the seach_id from the dispatch.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the /saved/searches/{name}/dispatch first to kick off the search first. That call returns a search ID that can be used to get the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks LukeMurphy...
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
