I want to achieve this,
Whenever we search something in Splunk, I want to return the search url along with the splunk results.
Manually, I created an alert in Splunk which triggers every hour and returns the View Results link.
How can I do it programmatically? I don't want to create alerts manually like this.
@deshpandevikasv, can you please describe as to what you want to achieve/mean by "programatically"?
Sending email is one of the alert actions.
You can also send emails from
1) Dashboards: http://docs.splunk.com/Documentation/SplunkCloud/latest/Report/GeneratePDFsofyourreportsanddashboard...
2) Scheduled Reports : https://docs.splunk.com/Documentation/Splunk/latest/Report/Schedulereports#Define_a_Send_Email_actio...
3) sendemail SPL command: http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification
Thank you for the comment @niketnilay!
By programmatically I meant to create an alert through a java program depending on the input I get from another service.
@deshpandevikasv, Seems like you want to create the send email from outside of Splunk without having to create an Alert in Splunk.
You might have to go for either:
Splunk REST API to Authenticate and connect to Splunk and execute a SPLUNK search with sendemail command to trigger the email (http://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches) or
Splunk SDK for Java to perform similar activities (http://dev.splunk.com/java).
Thank you @niketnilay. I was able to create an alert and if i run the same code again it gives me "Saved Search already exists error" which is expected. But I am not able to see that alert being created in Splunk web UI. Have any idea why?
Manually, I created an alert in Splunk which triggers every hour and returns the View Results link ///
may i know how you get this "View Results" link?
this is on Linux or windows?
@inventsekar, I get the View Results link in the email which is the action set to work when the alert is triggered every hour. And, I am using Mac which shouldn't matter since this is just an alert triggered in splunk web ui and the action is to send an email.
If you are wanting to generate your own link directly to the results you'll need to find out the Search ID (SID) of the query you just ran. The easiest way to do this is via the addinfo command. For example:
index=awesome_data earliest=-60m | ... | addinfo
This will add a few fields to all of your event results, but the one you care about is info_sid. You can use this field to build your own reference to the results of the search. The search page within Splunk can take a form field named sid with the value of the Search ID like the following:
So if you wanted to do this within the search you could do something like this:
index=awesome_data earliest=-60m | ... | addinfo | eval results_url="https://splunk.deshpandevikasv.com/en-US/app/search/search?sid=" . info_sid
When you go to the link with a provided sid then Splunk will find the results from that prior query from the dispatch directory.
A couple notes: