<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Link to download source files in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Link-to-download-source-files/m-p/79269#M16236</link>
    <description>&lt;P&gt;Many thanks, it works with just a simple change, instead of info_search_id, you have to use info_sid. &lt;/P&gt;

&lt;P&gt;It is a bit weird, as the documentation clearly states what you mention, but info_search_id is not available in my search results...&lt;/P&gt;</description>
    <pubDate>Mon, 28 Sep 2020 09:27:40 GMT</pubDate>
    <dc:creator>oscargarcia</dc:creator>
    <dc:date>2020-09-28T09:27:40Z</dc:date>
    <item>
      <title>Link to download source files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Link-to-download-source-files/m-p/79267#M16234</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;We have a system with many indexed small xml files. Is it possible to have a link/view that displays the full content of all the matches in a search?&lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Tue, 12 Apr 2011 04:13:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Link-to-download-source-files/m-p/79267#M16234</guid>
      <dc:creator>oscargarcia</dc:creator>
      <dc:date>2011-04-12T04:13:33Z</dc:date>
    </item>
    <item>
      <title>Re: Link to download source files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Link-to-download-source-files/m-p/79268#M16235</link>
      <description>&lt;P&gt;Hi Oscar,&lt;/P&gt;

&lt;P&gt;what you might be able to do is construct a search which produces a link to a page displaying the raw xml for each search result. This could be achieved by using the addinfo command in combination with eval to produce the URL.&lt;/P&gt;

&lt;P&gt;Check out this &lt;A href="http://www.splunk.com/base/Documentation/latest/User/InteractiveSearch#Use_show_source_to_view_the_raw_event" rel="nofollow"&gt;doco&lt;/A&gt;, it will give you an idea of how splunk out of the box allows you to view the source for an event. Using that understanding you might be able to achieve what I described above (might, as in I've never tried this myself).&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;Use addinfo in your search to produce the info_search_id&lt;/LI&gt;
&lt;LI&gt;Construct a URL using eval similar to the following:
eval linktoSource="https://URL:8000/en-US/app/APPNAME/show_source?sid=".info_search_id."&amp;amp;offset=0&amp;amp;latest_time="&lt;/LI&gt;
&lt;LI&gt;The result of that eval should be a URL pointing to the raw source of that event. The source for that event should be highlighted.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;If this isn't what you're after I hope it gets you on the right track.&lt;/P&gt;

&lt;P&gt;Cheers,
James&lt;/P&gt;</description>
      <pubDate>Tue, 12 Apr 2011 13:10:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Link-to-download-source-files/m-p/79268#M16235</guid>
      <dc:creator>jamesaarondevli</dc:creator>
      <dc:date>2011-04-12T13:10:56Z</dc:date>
    </item>
    <item>
      <title>Re: Link to download source files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Link-to-download-source-files/m-p/79269#M16236</link>
      <description>&lt;P&gt;Many thanks, it works with just a simple change, instead of info_search_id, you have to use info_sid. &lt;/P&gt;

&lt;P&gt;It is a bit weird, as the documentation clearly states what you mention, but info_search_id is not available in my search results...&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 09:27:40 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Link-to-download-source-files/m-p/79269#M16236</guid>
      <dc:creator>oscargarcia</dc:creator>
      <dc:date>2020-09-28T09:27:40Z</dc:date>
    </item>
  </channel>
</rss>

