It works if add "args." before argument name. For example the saved search (with the name "findSurname") is:
host=my_host field1=$args.surname$
then you can do:
SavedSearch savedSearch = splunkService.getSavedSearches().get("findSurname"); //get your saved search by name
SavedSearchDispatchArgs dispatchArgs = new SavedSearchDispatchArgs();
dispatchArgs.add("args.surname", "IVAN*");
Job job = savedSearch.dispatch(dispatchArgs);
while(!job.isDone()){
try {
Thread.sleep(500);
} catch (InterruptedException ex) {
System.out.println("Waiting thread was interrupted: " + ex.toString());
}
}
try{
Args outputArgs = new Args();
outputArgs.put("output_mode","json");
InputStream inputStream = job.getEvents(outputArgs);
byte[] buffer = new byte[4096];
while(inputStream.read(buffer)!=-1){
System.out.println(new String(buffer));
}
}catch(Exception ex){
System.out.println("Error getting result from Splunk: " + ex.toString());
}
Also you can see some examples about saved searches with Splunk SDK here: http://dev.splunk.com/view/java-sdk/SP-CAAAEKY
... View more