Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the SID (via rest api) for a single scheduled report previously created from the Web UI

wmoy
New Member
‎12-11-2019 12:38 PM

I have a number of scheduled reports previously created via the WEB UI following a template similar to the ones shown below as the report name.

  • [Report-devicename1] app name denies
  • [Report-devicename1] app name allows
  • [Report-devicename2] app name denies
  • [Report-devicename2] app name>allows

I am able to get the sid for All the scheduled report with https:..../search/jobs --get output_mode=csv,
but how can I get the sid for just a particular report for example, "[Report-devicename2] app name denies" with the rest api is where I'm having trouble.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎12-11-2019 01:05 PM

Hi @wmoy,

You can use this for alerts : https://<host>:<mPort>/services/alerts/fired_alerts/{name} it will give you the sid of the instances of your alerts. More details here :
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#alerts.2Ffired_alerts.2F.7Bna...

And this for reports : https://<host>:<mPort>/services/saved/searches/{name}/history
More details here :
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D...

Let me know if that helps.

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wmoy
New Member
‎12-11-2019 02:39 PM

Hello David,

No joy...

Tried the "...saved/searches/{name}/history" after converting to uri-encode format for "name" and the response was a http/404 with an response message starting with ERROR">Cannot find saved search with name...." the string reported back as the "name" was correct.

As a sanity check, I went to the Web UI and was successful in bringing up the report...

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎12-11-2019 01:05 PM

Hi @wmoy,

You can use this for alerts : https://<host>:<mPort>/services/alerts/fired_alerts/{name} it will give you the sid of the instances of your alerts. More details here :
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#alerts.2Ffired_alerts.2F.7Bna...

And this for reports : https://<host>:<mPort>/services/saved/searches/{name}/history
More details here :
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D...

Let me know if that helps.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

wmoy
New Member
‎12-11-2019 02:40 PM

Hello David,

No joy...

Tried the "...saved/searches/{name}/history" after converting to uri-encode format for "name" and the response was a http/404 with an response message starting with ERROR">Cannot find saved search with name...." the string reported back as the "name" was correct.

As a sanity check, I went to the Web UI and was successful in bringing up the report...

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎12-11-2019 10:09 PM

Did you try going to the REST endpoint URL directly in your browser ? Is that what u mean by tried via the Web UI ?
Start from there, if you can see the data then making the |REST command should br easy. Let me know if you got nothing and I'll link u the rest command.

0 Karma
Reply
Solved! Jump to solution

wmoy
New Member
‎01-02-2020 10:28 AM

David,

The "|REST" command was the clue that help me figured out the correct api syntax.

Thanks for your help !.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...