I referred to the above one and created my curl statement as below in a shell script:
curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/search/saved/searches/alert1/dispatch -d trigger_actions=1 -d output_mode=xml >>"$SPLUNK_HOME/bin/scripts/test9.txt"
alert1 Refers to the Alert_name that is to be triggered and its search query is : "99 host="mac-123" source="/Users/mac-123/splunk-api/123.csv"
I get the search_ids as followed when i ever i try to input some data to a file which is indexed by splunk continuosly:
rt_scheduler_adminsearchalert1_at_1373911620_68
<?xml version="1.0" encoding="UTF-8"?>
rt_scheduleradminsearchalert1_at_1373911620_68
<?xml version="1.0" encoding="UTF-8"?>
rt_scheduleradminsearch_alert1_at_1373911620_68
This is how the search_id look in "/var/run/splunk/dispatch/ls -l"
rt_scheduler_adminsearchalert1_at_1373911620_68
rt_scheduleradminsearchalert1_at_1373911620_68.0
rt_scheduleradminsearch_alert1_at_1373911620_68.1
I am confused here why the sid are not sequential but 68.0,68.1,68.2 and so on... Can any one help me to understand it more better and why I am not getting one Search_id when ever the alert is fired but getting sids versioned as .0,.1,.2 and so on..
If I use saved search - name "99" instead of alert1 in the curl statement
curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/search/saved/searches/99/dispatch -d trigger_actions=1 -d output_mode=xml >>"$SPLUNK_HOME/bin/scripts/test10.txt"
I get the search_id as followed:
<?xml version="1.0" encoding="UTF-8"?>
admin_adminsearch_99_at_1373921869_113
This is how the search_id look in "/var/run/splunk/dispatch/ls -l"
admin_adminsearch_99_at_1373921725_112
I am believing that the dispatch is creating a series of events for the alert that is configured but it ties the results to the saved search that constantly runs.. Please help me to understand this and I wanted to get the results by using the seach_id from the dispatch.
Thank you
... View more