I am using REST API search endpoints to invoke a search. When the search completes, I get a SID from the json response. I then create an email with the search result. In additional, I want to include a hyperlink in the email that will take me to splunk displaying the same result (with the same criteria including the time window). Can I use the SID to do this (as long as the SID hasn't expired)?
You can achieve this, while creating new job using REST API please provide unique
id to search job so that will act as
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal | stats count by host" -d id=mysearch_31102018114300
And after that you can create hyperlink with email so hyperlink should be like this
Based on example I have provided with
id=mysearch_31102018114300, hyperlink should be like this
As I was not able to fetch latestime from job ID so we can't provide earliest and latest time in hyperlink however when you use loadjob it will exactly load same result when job ran with given timeframe.
I tried this with the SID I got back from the response:
And got this error:
Error in 'SearchOperator:loadjob': The search artifact for job '1541017578.20031_E86B55B0-BB4E-4D2E-9BA0-23B22288B1CA' is not available because we cannot proxy an ad-hoc job in a searchhead cluster. Please run the search locally.
What does this mean?
Oh, I didn't know that you are running Search Head Cluster, in SHC adhoc job will not be replicated to other members in same cluster and in your case job when you try to construct URL and hit that LB is redirecting it to other member on which job didn't run.
You can try something like this but I am not sure whether this will work or not, when you will fetch data from job with SID, you will able to find search head from
searchProviders, when I ran 2-3 jobs generally Search Head will be at first position and Indexers will start from 2nd position. If this will be consistent in all jobs then you can fetch Search Head from there construct hyperlink with Search Head directly (Unfortunately you will not able to use VIP configured for SHC members in hyperlink.
Try the following URL, to open Search page with sid
It will return the same results as the original query and for the same time duration
Please accept the answer if it works for you.