Solved: Re: Not able to list out the saved search using RE...

anoopambli · ‎06-20-2016

I am trying to figure out how to execute a saved search and get the results using the REST API. I have created few saved searches, but I'm not able to list them when I try curl -ks -u admin: https://splunkrest:8089/services/saved/searches. It just shows the default searches.

Any specific permission I need to set on the saved search so that they can be used via REST API?

somesoni2 · ‎06-20-2016

Give this a try

curl -ks -u admin: https://splunkrest:8089/servicesNS/-/-/saved/searches

View solution in original post

somesoni2 · ‎06-20-2016

Give this a try

curl -ks -u admin: https://splunkrest:8089/servicesNS/-/-/saved/searches

anoopambli · ‎06-20-2016

I am able to view my saved search properties now. Thanks for your help. When I try to execute REST API call for dispatching the saved search, I get following error message, Any idea?

bash-3.2$ curl -ks -u : https://splunkrestsvc.fmrco.com/servicesNS/-/-/saved/searches/API_Test/dispatch -d force_dispatch=true

<msg type="ERROR">

In handler 'savedsearch': Cannot edit/create a saved search for wildcarded users or applications

anoopambli · ‎06-20-2016

In handler 'savedsearch': Cannot edit/create a saved search for wildcarded users or applications is the error message.

somesoni2 · ‎06-20-2016

The endpoint is actually this

 https://splunkrestsvc.fmrco.com/servicesNS/USER/APP/saved/searches.

Once you've the property using first curl, grab the owner/author and the app context and use that for your second dispatch curl.

anoopambli · ‎06-22-2016

Super cool, that worked. Thanks a ton.

Not able to list out the saved search using REST API

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application