Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Not able to list out the saved search using RE...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to figure out how to execute a saved search and get the results using the REST API. I have created few saved searches, but I'm not able to list them when I try curl -ks -u admin: https://splunkrest:8089/services/saved/searches. It just shows the default searches.
Any specific permission I need to set on the saved search so that they can be used via REST API?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am able to view my saved search properties now. Thanks for your help. When I try to execute REST API call for dispatching the saved search, I get following error message, Any idea?
bash-3.2$ curl -ks -u : https://splunkrestsvc.fmrco.com/servicesNS/-/-/saved/searches/API_Test/dispatch -d force_dispatch=true
<msg type="ERROR">
In handler 'savedsearch': Cannot edit/create a saved search for wildcarded users or applications
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In handler 'savedsearch': Cannot edit/create a saved search for wildcarded users or applications is the error message.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The endpoint is actually this
https://splunkrestsvc.fmrco.com/servicesNS/USER/APP/saved/searches.
Once you've the property using first curl, grab the owner/author and the app context and use that for your second dispatch curl.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Super cool, that worked. Thanks a ton.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
