Solved: Splunk using rest api to fetch app name / id

Dawson014 · ‎06-27-2018

Hello fellow Splunkers,

I am using the following query to fetch the splunk app name in standalone search head -

| rest /services/search/jobs splunk_server=local 
| addinfo 
| where sid = info_sid 
| rename eai:acl.app as app_name
| fields + app_name

However, this same query is not working in SHC. It shows No results found
Any suggestions would be appreciated.

Thanks!

sdawsonkg · ‎07-20-2018

If you're running the query on a dashboard then this should work -

<your_base_query>
| eval app_name = $env:app$
| ...

However, this will not work if you are running the query on a search panel.

sdawsonkg · ‎07-20-2018

If you're running the query on a dashboard then this should work -

<your_base_query>
| eval app_name = $env:app$
| ...

However, this will not work if you are running the query on a search panel.

Dawson014 · ‎07-20-2018

This will do. Thanks!

sdawsonkg · ‎07-20-2018

Good. Cheers!

renjith_nair · ‎06-27-2018

Hi @Dawson014,
Try running just | rest /services/search/jobs and see if it works

---
What goes around comes around. If it helps, hit it with Karma 🙂

Dawson014 · ‎06-27-2018

Tried this, worked once. Then again the same No Results founds

Splunk using rest api to fetch app name / id