Solved: Can i use rest API to see the latest result of a ...

kairobin · ‎04-10-2015

In the web Interface of Splunk - Saved Searches. One can view the latest result of a saved search.
This wil give the user the information without doing the search over again.

Does anybody have a way or an example on how to to get these result out using PHP, Curl og even Powershell?

Thanks in advance.
kai

acharlieh · ‎04-10-2015

With the REST API you could use /saved/searches/{name}/history to get all jobs, which will then return links to /search/jobs/{search_id} which is links or a minor url modification away from /search/jobs/{search_id}/results

There are examples all through the RESTREF doc that should help you out.

View solution in original post

kairobin · ‎04-10-2015

This wil give me much more to work With.
thank you

acharlieh · ‎04-10-2015

With the REST API you could use /saved/searches/{name}/history to get all jobs, which will then return links to /search/jobs/{search_id} which is links or a minor url modification away from /search/jobs/{search_id}/results

There are examples all through the RESTREF doc that should help you out.

kairobin · ‎04-10-2015

Do you have an examle of this script?
I thought that this only worked with a live search. That for instanc $5 only has information when it ran a search.

harsmarvania57 · ‎04-10-2015

This script will run when your schedule search will run.

harsmarvania57 · ‎04-10-2015

Hi,

I am not sure about rest API, but you can create a script and you can use Splunk arguments to fectch the results, results will be in .tar.gz format, so you have to extract result with your script.

Ref. for splunk argument: http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Configuringscriptedalerts#Access_arguments_t...

Can i use rest API to see the latest result of a saved search?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life