Solved: Call Splunk API to Get Sid

manhuang · ‎06-01-2016

I make a call to the Splunk REST API to get sid.
api is /services/search/jobs?output_mode=json
In a general way, it will return an sid like 1464774202.16228 for me to get a final result.
But sometimes, it will return me a lot of info without sid, but dispatchState is Done.
Seems like something does not work.
Why do I get a result like this?

jkat54 · ‎12-06-2019

Try adding exec_mode to your post.

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/RESTREF/RESTsearch#search.2Fjobs

View solution in original post

jkat54 · ‎12-06-2019

Try adding exec_mode to your post.

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/RESTREF/RESTsearch#search.2Fjobs

jkat54 · ‎12-06-2019

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949

slw07gdev · ‎12-08-2019

thank you!

jkat54 · ‎12-08-2019

Anytime!!!

jkat54 · ‎12-06-2019

You can also specify the id you want. Do you see in the documentation how to expand the "post" section to see all the parameters?

slw07gdev · ‎12-06-2019

I'm experiencing the same issue. Trying to create a search, but getting unexpected data back.

When issuing a GET request to the URL, details about all searches should be returned.

But I'm issuing POST requests and getting the same blurb back. Have you been able to resolve the issue?

jkat54 · ‎06-01-2016

You should get the SID when you submit the search as the returned JSON. This endpoint is for checking the status of jobs when you've already got the SID or if you want to see currently running jobs. When all jobs are complete this endpoint returns the data you're sometimes seeing.

manhuang · ‎06-02-2016

I called api /services/search/jobs?output_mode=json, and can get sid.
But sometime, it returns info without sid, but some info like error.
we need to call api by auto program, we need to know when will occur these abnormal issue.

jkat54 · ‎06-02-2016

When you create a search you will always get the SID as a response.

When you call this endpoint without specifying the SID you get the status of all the RUNNING jobs. There is a difference between submitting a job, checking the status of a known SID, and checking the status of all jobs.

If you check this endpoint and all jobs are complete... There will not be any SIDS returned.

If you check this endpoint and a job is currently running, then you may get the SID(s) of the running job(s).

If you check this endpont and specify the SID, you'll get the status for that SID.

Call Splunk API to Get Sid

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation