Getting Data In

How to request an accelerated report via REST?

althomas
Communicator

Hi,

We have a requirement to pull data out of a report that they want updated at (near-enough) real time, so we've created a stats table of the data and put it into a report, which has then been accelerated. We want to be able to grab the data via REST so it can be used in a different application we are creating. How is this done?

Currently, if I run the report, I can see the most recent search id and I can see that it has been run based on a summary ID.
In Job Manager, it reports the following:
Search ID: myuser__nobody__search__RMD5a79ee73818f66aa4_at_1507109756_45011
Summary ID: 1F08A505-35F7-44C1-B50E-2D1D9BB70318_search_nobody_NSfd08606a4b07f6bc

If I run (using the search ID):

curl -k -u myuser https://localhost:8089/services/search/jobs/myuser__nobody__search__RMD5a79ee73818f66aa4_at_1507109756_45011

I get results for the most current run, but I don't know if this resultset will update as the underlying data changes

If I run (using the summary ID):

curl -k -u myuser https://localhost:8089/services/search/jobs/1F08A505-35F7-44C1-B50E-2D1D9BB70318_search_nobody_NSfd08606a4b07f6bc/results?count=0

I get a response of: Unknown sid.

Is there an easy way to always request the latest state of the accelerated report?

Thanks!

Best regards,
Alex

althomas
Communicator

This does technically work, but the first one will only return a result if I've manually gone and run the report recently, otherwise there is no search ID.

Having fiddled about with it a bit, the only reliable way I can get a search ID without manually going into the GUI is as follows:
curl -k -u myuser https://localhost:8089/services/search/jobs -d search="| savedsearch my_accelerated_report"

This will return a very simple XML response:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <sid>1511349561.1768776</sid>
</response>

And then you can use that SID to get the result set:

curl -k -u myuser https://localhost:8089/services/search/jobs/1511349561.1768776/results

I'm not sure there's an easier way than this after trawling through the documentation for hours.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...