- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to export results from a saved search by name ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a saved search that runs every day.
I want to get the results with the Splunk REST API.
I found that I can get the results with the job_id that I got from "inspect job":
curl --get -k -u admin:myuser -d "output_mode=csv" https://searcher-job:8089/services/search/jobs/1234.56789/results > results.csv
But I'm afraid that each day the job_id will change (or each time I will add changes) , and then my service won't work. I want to get the same result with the saved search name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure your search is scheduled.
Then, you hit saved/searches/{name}/history to get the SID. You'll have to parse the response.
Then, you hit /services/search/jobs/{SID}/results to get your results.
Two step process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure your search is scheduled.
Then, you hit saved/searches/{name}/history to get the SID. You'll have to parse the response.
Then, you hit /services/search/jobs/{SID}/results to get your results.
Two step process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, it worked for me.
For those of you trying to find the sid and parse it, you will find it here:
<title>scheduler__d2ViX21vYmlsZQ__k2_at_1437056820_11162</title>
<id>https://searcher-job:8089/servicesNS/nobody/web_mobile/search/jobs/scheduler__d2ViX21vYmlsZQ__k2_at_1437056820_11162</id>
The SID here is = scheduler_d2ViX21vYmlsZQ_k2_at_1437056820_11162
Also, if you get only 100 results, this is the defualt and you can remove it by adding:
-d "count=0"
to the results command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to know how you send the curl history command on a saved search and then capture just the SID and then have it execute a {sid}/results, all in one shot , i know its a two step process but to automate this I will need to run history capture SID then run results on the SID.
Any thoughts
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
