Splunk API: the proper way to run a saved search

brettcave — Thu, 25 Apr 2013 14:51:42 GMT

I have recently starting working on an integration with Splunk via the API, and am unclear on how to run a saved search - there are a number of ways it seems to do this, and so far my integration is triggering search jobs with no results.

I have been using http://splunk-base.splunk.com/answers/8945/how-to-start-a-saved-search-using-rest-api and http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches for reference. From this, it seems like an effective way of searching is:

Authenticate and get a session ID
Create the Authorization header from the authentication request
POST to the search/jobs endpoint to schedule a search job
Poll the search/jobs/jobId to wait for it to finish (GET, and grab the dispatchState element)
Retrieve the results via search/jobs/jobId/results

In Step 3, I am posting the following body to "/services/search/jobs" (not using /serviceNS/myUsername/...):

search=savedsearch MyCustomSearch

If I log into the job manager, I can see the job. There's a large number of events matched, but no results. So then I thought I would try a Web UI search - I have tried the following 2 variations:

| savedsearch MyCustomSearch
| savedsearch "MyCustomSearch"

But both of those searches return no results. However, I can click the saved search from the "Searches & Reports" menu and get valid results. When I do that, I get the following URI that loads:

/en-US/app/search/flashtimeline?s=%2FservicesNS%2Fnobody%2Fsearch%2Fsaved%2Fsearches%2FMyCustomSearch

And this load the correct results.

When I look at the job manager, I see 2 variations on the search that don't work.

| savedsearch "MyCustomSearch" events: correct number of events, but no results, triggered by either the API call or by manually quering | savedsearch MyCustomSearch.
MyCustomSearch events: correct number of events, and correct results, triggered by clicking the report in the Web UI menu

What is the correct way to invoke the saved search via the API and get correct results?

Resources used: http://splunk-base.splunk.com/answers/8945/how-to-start-a-saved-search-using-rest-api http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches

Re: Splunk API: the proper way to run a saved search

brettcave — Fri, 26 Apr 2013 07:58:32 GMT

Looks like this post helped me get it right: http://splunk-base.splunk.com/answers/50636/finding-specific-searches-in-splunk-via-rest-api-calls

To trigger the search: POST /services/saved/searches/MyCustomSearch/dispatch -d force_dispatch=true. The force_dispatch is optional.

I can then poll the status of the returned SID (still to be tested)

topic Re: Splunk API: the proper way to run a saved search in Getting Data In

Splunk API: the proper way to run a saved search

Re: Splunk API: the proper way to run a saved search