topic Re: How to get alert result through API? in Splunk Search

How to get alert result through API?

BrianLam — Fri, 17 Jan 2025 23:01:27 GMT

I'm calling the API from BTP IS and want to get the result of an alert that I created from before. My alert name is PRD - Daily CCS Integrations Error Report, not quite sure what's the correct syntax of the URL and command to get the result.

Re: How to get alert result through API?

tscroggins — Sat, 18 Jan 2025 23:49:11 GMT

Hi @BrianLam,

You can retrieve the search results using the search/v2/jobs/{search_id}/results endpoint. See https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fv2.2Fjobs.2F.7Bsearch_id.7D.2Fresults.

The search_id value is specific to the instance of the search that generated the alert.

It's a simple GET request. The default output mode is XML. If you want JSON output, pass the output_mode query parameter as part of the GET request:

https://splunk:8089/services/search/v2/jobs/scheduler__user__app__xxx_at_xxx_xxx/results?output_mode=json

Re: How to get alert result through API?

BrianLam — Tue, 21 Jan 2025 20:51:22 GMT

Thanks for the help @tscroggins.

I was able to get the result calling the API. But I had to fill in the {search_id} manually, is there a way to get the {search_id} through the endpoint or I have to retrieve it from a parameter in another GET request.

I need this because it's a daily alert and I would need to get the result through the API endpoint daily as well in BTP IS

Re: How to get alert result through API?

tscroggins — Sun, 26 Jan 2025 20:09:38 GMT

Hi @BrianLam,

I recommend enabling the Add to Triggered Alerts action and then using the /services/alerts/fired_alerts/{name} endpoint to get the most recent alert:

https://splunk:8089/servicesNS/-/-/alerts/fired_alerts/foo?output_mode=json&count=1&sort_dir=desc&sort_key=published

Then use the related job link at .entry[0].links.job to construct a results URI:

{ /* ... */ "entry": [ /* ... */ "links": { /* ... */ "job": "/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx", /* ... */ } ], /* ... */ }

→

https://splunk:8089/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx/results?output_mode=json

In this example, the search named foo is owned by the admin user in the search app. You can find more information on using namespaces at https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#Namespace.