Getting Data In
Highlighted

Does anyone know how to convert a savedsearch request to a REST API endpoint request?

Communicator

Does anyone know how to convert this savedsearch request to a REST endpoint request?

|savedsearch mysearch replace_me="value"

I can run a normal savedsearch "apmcvcqtrbhtest" using curl in the app apm_snpm

curl -k -u svc_user_bob:password https://localhost:8089/servicesNS/svc_user_bob/apm_snpm/saved/searches/apm_cvc_qtr_bh_test/dispatch -d trigger_actions=1

but i don't know how to pass the replace_me key and value

Any ideas?

Highlighted

Re: Does anyone know how to convert a savedsearch request to a REST API endpoint request?

SplunkTrust
SplunkTrust

See this example

http://answers.splunk.com/answers/8945/how-to-start-a-saved-search-using-rest-api.html

you can just give your "|savedsearch" command as search query in curl.

0 Karma
Highlighted

Re: Does anyone know how to convert a savedsearch request to a REST API endpoint request?

Communicator

Thanks, but I couldn't see in there how to pass the values for a template search...

0 Karma
Highlighted

Re: Does anyone know how to convert a savedsearch request to a REST API endpoint request?

Communicator

For the rest call

curl -k u user:password https://blah.local:8089/servicesNS/svc_usr_bob/apm_snpm/saved/searches/apm_cvc_qtr_bh_test/dispatch -d trigger_actions=1 -d args.startDate="-3d" -d args.endDate="-0d"

in the saved search

eventtype=service-CombinedForwardingPlaneQueueGroupServiceIngressLogRecord earliest=$args.startDate$ latest=$args.endDate$

I should work for the NSA after decrypting the Splunk doco

View solution in original post