Getting Data In

Splunk using rest api to fetch app name / id

Dawson014
Path Finder

Hello fellow Splunkers,

I am using the following query to fetch the splunk app name in standalone search head -

| rest /services/search/jobs splunk_server=local 
| addinfo 
| where sid = info_sid 
| rename eai:acl.app as app_name
| fields + app_name

However, this same query is not working in SHC. It shows No results found
Any suggestions would be appreciated.

Thanks!

1 Solution

sdawsonkg
Path Finder

If you're running the query on a dashboard then this should work -

<your_base_query>
| eval app_name = $env:app$
| ...

However, this will not work if you are running the query on a search panel.

View solution in original post

sdawsonkg
Path Finder

If you're running the query on a dashboard then this should work -

<your_base_query>
| eval app_name = $env:app$
| ...

However, this will not work if you are running the query on a search panel.

Dawson014
Path Finder

This will do. Thanks!

sdawsonkg
Path Finder

Good. Cheers!

renjith_nair
Legend

Hi @Dawson014,
Try running just | rest /services/search/jobs and see if it works

---
What goes around comes around. If it helps, hit it with Karma 🙂

Dawson014
Path Finder

Tried this, worked once. Then again the same No Results founds

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...