Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the SID (via rest api) for a single scheduled report previously created from the Web UI

wmoy
New Member
‎12-11-2019 12:38 PM

I have a number of scheduled reports previously created via the WEB UI following a template similar to the ones shown below as the report name.

  • [Report-devicename1] app name denies
  • [Report-devicename1] app name allows
  • [Report-devicename2] app name denies
  • [Report-devicename2] app name>allows

I am able to get the sid for All the scheduled report with https:..../search/jobs --get output_mode=csv,
but how can I get the sid for just a particular report for example, "[Report-devicename2] app name denies" with the rest api is where I'm having trouble.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎12-11-2019 01:05 PM

Hi @wmoy,

You can use this for alerts : https://<host>:<mPort>/services/alerts/fired_alerts/{name} it will give you the sid of the instances of your alerts. More details here :
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#alerts.2Ffired_alerts.2F.7Bna...

And this for reports : https://<host>:<mPort>/services/saved/searches/{name}/history
More details here :
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D...

Let me know if that helps.

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wmoy
New Member
‎12-11-2019 02:39 PM

Hello David,

No joy...

Tried the "...saved/searches/{name}/history" after converting to uri-encode format for "name" and the response was a http/404 with an response message starting with ERROR">Cannot find saved search with name...." the string reported back as the "name" was correct.

As a sanity check, I went to the Web UI and was successful in bringing up the report...

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎12-11-2019 01:05 PM

Hi @wmoy,

You can use this for alerts : https://<host>:<mPort>/services/alerts/fired_alerts/{name} it will give you the sid of the instances of your alerts. More details here :
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#alerts.2Ffired_alerts.2F.7Bna...

And this for reports : https://<host>:<mPort>/services/saved/searches/{name}/history
More details here :
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D...

Let me know if that helps.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

wmoy
New Member
‎12-11-2019 02:40 PM

Hello David,

No joy...

Tried the "...saved/searches/{name}/history" after converting to uri-encode format for "name" and the response was a http/404 with an response message starting with ERROR">Cannot find saved search with name...." the string reported back as the "name" was correct.

As a sanity check, I went to the Web UI and was successful in bringing up the report...

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎12-11-2019 10:09 PM

Did you try going to the REST endpoint URL directly in your browser ? Is that what u mean by tried via the Web UI ?
Start from there, if you can see the data then making the |REST command should br easy. Let me know if you got nothing and I'll link u the rest command.

0 Karma
Reply
Solved! Jump to solution

wmoy
New Member
‎01-02-2020 10:28 AM

David,

The "|REST" command was the clue that help me figured out the correct api syntax.

Thanks for your help !.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...