Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to export results from a saved search by name and not by job_id using Splunk's REST API?

shacham
Explorer
‎07-15-2015 08:16 AM

I have a saved search that runs every day.
I want to get the results with the Splunk REST API.

I found that I can get the results with the job_id that I got from "inspect job":

curl --get -k -u admin:myuser -d "output_mode=csv"  https://searcher-job:8089/services/search/jobs/1234.56789/results > results.csv

But I'm afraid that each day the job_id will change (or each time I will add changes) , and then my service won't work. I want to get the same result with the saved search name.

Reply
1 Solution
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎07-15-2015 08:23 AM

Make sure your search is scheduled.

Then, you hit saved/searches/{name}/history to get the SID. You'll have to parse the response.

Then, you hit /services/search/jobs/{SID}/results to get your results.

Two step process.

View solution in original post

Reply
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎07-15-2015 08:23 AM

Make sure your search is scheduled.

Then, you hit saved/searches/{name}/history to get the SID. You'll have to parse the response.

Then, you hit /services/search/jobs/{SID}/results to get your results.

Two step process.

Reply
Solved! Jump to solution

shacham
Explorer
‎07-16-2015 07:40 AM

Thanks, it worked for me.

For those of you trying to find the sid and parse it, you will find it here:

<title>scheduler__d2ViX21vYmlsZQ__k2_at_1437056820_11162</title>
<id>https://searcher-job:8089/servicesNS/nobody/web_mobile/search/jobs/scheduler__d2ViX21vYmlsZQ__k2_at_1437056820_11162</id>

The SID here is = scheduler_d2ViX21vYmlsZQ_k2_at_1437056820_11162

Also, if you get only 100 results, this is the defualt and you can remove it by adding:
-d "count=0"
to the results command.

Reply
Solved! Jump to solution

vandelin
New Member
‎05-02-2020 11:22 AM

I would like to know how you send the curl history command on a saved search and then capture just the SID and then have it execute a {sid}/results, all in one shot , i know its a two step process but to automate this I will need to run history capture SID then run results on the SID.

Any thoughts

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...