- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to request an accelerated report via REST?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to request an accelerated report via REST?
Hi,
We have a requirement to pull data out of a report that they want updated at (near-enough) real time, so we've created a stats table of the data and put it into a report, which has then been accelerated. We want to be able to grab the data via REST so it can be used in a different application we are creating. How is this done?
Currently, if I run the report, I can see the most recent search id and I can see that it has been run based on a summary ID.
In Job Manager, it reports the following:
Search ID: myuser__nobody__search__RMD5a79ee73818f66aa4_at_1507109756_45011
Summary ID: 1F08A505-35F7-44C1-B50E-2D1D9BB70318_search_nobody_NSfd08606a4b07f6bc
If I run (using the search ID):
curl -k -u myuser https://localhost:8089/services/search/jobs/myuser__nobody__search__RMD5a79ee73818f66aa4_at_1507109756_45011
I get results for the most current run, but I don't know if this resultset will update as the underlying data changes
If I run (using the summary ID):
curl -k -u myuser https://localhost:8089/services/search/jobs/1F08A505-35F7-44C1-B50E-2D1D9BB70318_search_nobody_NSfd08606a4b07f6bc/results?count=0
I get a response of: Unknown sid.
Is there an easy way to always request the latest state of the accelerated report?
Thanks!
Best regards,
Alex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think if you use https://localhost:8089/services/saved/searches/{name}/history first, you can grab title out of it and use that in https://localhost:8089/services/search/jobs/{title}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This does technically work, but the first one will only return a result if I've manually gone and run the report recently, otherwise there is no search ID.
Having fiddled about with it a bit, the only reliable way I can get a search ID without manually going into the GUI is as follows:
curl -k -u myuser https://localhost:8089/services/search/jobs -d search="| savedsearch my_accelerated_report"
This will return a very simple XML response:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<sid>1511349561.1768776</sid>
</response>
And then you can use that SID to get the result set:
curl -k -u myuser https://localhost:8089/services/search/jobs/1511349561.1768776/results
I'm not sure there's an easier way than this after trawling through the documentation for hours.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
