Can I retrieve job.sid with simple xml in Splunk E...

CarlAus · ‎01-07-2024

We are still running Enterprise 6.1, and I am unable to locate the relevant documentation.
I would like to know if I can access the job.sid using simple xml, and if so what the syntax might be.

I gather I am restricted to the <searchString> element as <search> & <query> are not relevant to version 6.1,

Any assistance would be most appreciated.

tscroggins · ‎01-07-2024

It's been a long time, but you may find what you need in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/schema. The directory may be different, but there should be a simplexml.xsd schema file floating around to help you find elements, attributes, etc. The dashboard code is in search_mrsparkle as something like dashboard_*.js. You may need to de-minify the source, but you can search it and related files to see which built-in tokens are available.

CarlAus · ‎01-07-2024

**at least I believe the <search> & <query> are not applicable to version 6.1!?

bowesmana · ‎01-07-2024

I am not sure when they came in, but looking at a Splunk 7 instance I have, there is a mix of searchString and <search><query> in the same dashboard.

Can you try converting the <searchString> to search/query and then addding an event handler outside the <query>, i.e.

<search>
  <query>
    your_search
  </query>
  <finalized>
    <set token="job_sid">$job.sid$</set>
  </finalized>
</search>

Not sure when/if finalized was changed to <done>, but I have seen <preview> and <progress> event handlers in old dashboards along with <finalized>.

See if any of this works.

Can I retrieve job.sid with simple xml in Splunk Ent 6.1

Classic dashboard

form

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?