topic Re: Get action.script using REST/SDK in Splunk Search

Get action.script using REST/SDK

mchappidi — Tue, 24 Jun 2014 21:13:53 GMT

Hello

Is there any way to get action.script/action.script.filename from searches/jobs using REST/SDK?
I am aware, we can get from savedsearches.

Re: Get action.script using REST/SDK

martin_mueller — Thu, 26 Jun 2014 09:14:36 GMT

No, the search/jobs endpoint doesn't provide that info. You'd have to take the report's ID built from the label, user, and app returned by search/jobs and look at the saved/searches endpoint as you found out already 🙂

Take a look at this example to illustrate:

| rest /services/search/jobs search="isSavedSearch=1" | rename eai:acl.app as app | fields author app label sid | map search="rest /servicesNS/$author$/$app$/saved/searches/$label$ | fields title action.script action.script.filename | eval sid=\"$sid$\""

Re: Get action.script using REST/SDK

mchappidi — Thu, 26 Jun 2014 15:41:35 GMT

Thanks for the immediate reply. I understood the logic.
But I got the following error:
"The search result count (354) exceeds maximum (10), using max. To override it, set maxsearches appropriately."

I'm new to splunk search. Any help would be great.
Thank you again!!

Re: Get action.script using REST/SDK

martin_mueller — Thu, 26 Jun 2014 15:56:01 GMT

By default the map command will only execute ten searches, see http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/map for reference. Add maxsearches=0 to disable the maximum entirely.

Consider filtering before the map, for example by app or search name - unless you want to see all 354 entries.

Re: Get action.script using REST/SDK

mchappidi — Thu, 26 Jun 2014 18:16:43 GMT

yes, I did that. But it is returning "None"/No Results found.

Re: Get action.script using REST/SDK

martin_mueller — Thu, 26 Jun 2014 18:20:30 GMT

Heh, it appears map may not like maxsearches=0 for an infinite number of searches, try setting it to 1000 instead.

Re: Get action.script using REST/SDK

mchappidi — Thu, 26 Jun 2014 18:32:34 GMT

I did for 500. But no result.

Re: Get action.script using REST/SDK

martin_mueller — Thu, 26 Jun 2014 19:00:07 GMT

Does running a single REST call for a saved search work based on values taken from the jobs call manually?

Re: Get action.script using REST/SDK

mchappidi — Thu, 26 Jun 2014 21:26:35 GMT

Yes! I tried. But I didn't get any output.
|rest/servicesNS/* /* /saved/searches/* | fields title action.script action.script.filename |

Re: Get action.script using REST/SDK

martin_mueller — Thu, 26 Jun 2014 22:15:26 GMT

I don't think wildcards work there.

Re: Get action.script using REST/SDK

mchappidi — Fri, 27 Jun 2014 15:20:54 GMT

I hard-coded "author","app" and "label". I just mentioned as wildcard. Is this right way to collect from savedsearch ? Any example provided helps a lot.
Thank you again!!

Re: Get action.script using REST/SDK

martin_mueller — Fri, 27 Jun 2014 15:29:02 GMT

The search I posted is a working example over here, so posting another doesn't seem useful to me.

Instead, you should work your way to what's going wrong on your end. Start with this:

| rest /services/saved/searches

That should list all your saved searches. Then add a user and the app:

| rest /servicesNS/user/app/saved/searches

That should list saved searches in that app. Then you add a saved search label to the end, and you should get details for that saved search. Confirm that's returned by the jobs call if it's a scheduled search.

Re: Get action.script using REST/SDK

mchappidi — Fri, 27 Jun 2014 15:57:07 GMT

Yes! But "isSavedSearch=1" count(360) doesn't match with "|rest /services/saved/searches" count(90).

Re: Get action.script using REST/SDK

martin_mueller — Fri, 27 Jun 2014 16:09:16 GMT

Doesn't match how?

Re: Get action.script using REST/SDK

mchappidi — Fri, 27 Jun 2014 17:17:19 GMT

That's issue. So I am not able to pick them in map searching!!