Other Usage

How to rest API to get results of a scheduled report?

bhjohns
Explorer

Hello.  I know there have been a few posts on this topic, but I've been messing with it most of the day and the other posts weren't able to help me reach a solution.  Hoping someone can provide some guidance.

I'm looking to pull some aggregate information out of Splunk via API requests but wanted to pre-build the data set using a scheduled report in Splunk so that the API request will return faster just pulling the results of the last run vs running the search itself before returning results.

In the UI I've created a report named test.  I've tried a few different schedules and it ran twice earlier today, but at the moment I have it on the cron schedule of 0 1 * * 4 (1 on Thursdays).

Via the API I can fetch the saved report named test like this:

 

https://SPLUNKURL:8089/services/scheduled/views/test

 

but no matter what schedule I set or modify in the UI, the results always show 

 

cron_schedule	0 6 * * 1
is_scheduled	0

 

with the same results when requesting

 

https://SPLUNKURL:8089/servicesNS/APP/search/scheduled/views/_ScheduledView__test

 

and when I try

 

https://SPLUNKURL:8089/services/scheduled/views/test/history

 

I simply receive 

 

<response>
<messages>
<msg type="ERROR">Cannot find saved search with name '_ScheduledView__test'.</msg>
</messages>
</response>

 

even though I know it ran twice in the last day and I can see the results in the UI.  Similarly, I tried updating the schedule via the API with

 

curl -u user:password --request POST 'https://SPLUNKURL:8089/services/scheduled/views/test/reschedule/' --data schedule_time=2022-03-03T04:00:01Z

 

and I get the same result

 

<response>
  <messages>
    <msg type="ERROR">Cannot find saved search with name '_ScheduledView__test'.</msg>
  </messages>
</response>

 

 Am I missing something?  I see the scheduled view and it's scheduled in the UI but I can't figure out any way to see or access the schedule or history via the API.  Hoping someone can shed some light on things as it's not making sense to me at the moment.  Also if it's helpful I checked and I believe our Splunk server version is 6.6.7

Labels (3)
0 Karma
1 Solution

bhjohns
Explorer

In case anyone runs into this same issue.  Still haven't determined why the path being queried wasn't working, but we were able to find two different workarounds.  The first was to modify the endpoint we were hitting to:

 

https://SPLUNKURL:8089/servicesNS/nobody/cet/saved/searches/test/history

 

which successfully returned results and we could use the sids that were returned to query the results via

 

https://SPLUNKURL:8089/servicesNS/nobody/APP/search/jobs/SID/results

 

 

Alternatively, we found that we were able to pull the results directly with an API search query using loadjob like this:

 

curl -u user:password --request POST 'https://SPLUNKURL:8089/services/search/jobs/export' --data search=|%20loadjob%20savedsearch="USER:APP:test"&output_mode=json

 

View solution in original post

bhjohns
Explorer

In case anyone runs into this same issue.  Still haven't determined why the path being queried wasn't working, but we were able to find two different workarounds.  The first was to modify the endpoint we were hitting to:

 

https://SPLUNKURL:8089/servicesNS/nobody/cet/saved/searches/test/history

 

which successfully returned results and we could use the sids that were returned to query the results via

 

https://SPLUNKURL:8089/servicesNS/nobody/APP/search/jobs/SID/results

 

 

Alternatively, we found that we were able to pull the results directly with an API search query using loadjob like this:

 

curl -u user:password --request POST 'https://SPLUNKURL:8089/services/search/jobs/export' --data search=|%20loadjob%20savedsearch="USER:APP:test"&output_mode=json

 

ibady
Observer

Tried this curl request but not getting any events. Able to get the terminal back so i am thinking there is not syntax errors in the request. 
Can you guide me on this ??

 

0 Karma

bhjohns
Explorer

I can try.  Can you provide details as to what you have set up with saved/scheduled reports, what you see in the UI, and what api call you're making?

0 Karma

ibady
Observer

Search is this :

 

curl -k -H "Authorization: Bearer eyJfd3e46a31246da7ea7f109e7f95fd" --request POST 'https://SPLUNKURL:8089/services/search/jobs/export' --data search='|%20loadjob%20savedsearch="USER:APP:test" earliest_time=-15m@m latest_time=now' output_mode=json

 

Where my schedule search/report is running every 15 minutes and i gave the permission to everyone to test it out. 

Now when i do this search it is giving me the terminal back with no output.

0 Karma

bhjohns
Explorer

Looking at your curl, the saved search result you're pulling is at the path USER:APP:test, but that is the generic example I originally provided and probably has to be updated based on your user, app, and report name details.

Can you confirm that there is data in the UI?  Essentially that curl is just exporting the results of the last run of a saved search.  You can do the same search in the UI with

| loadjob savedsearch="USER:APP:REPORT"

 Just replace USER with your username (may need to be the user owner/creator of the report haven't tested extensively), APP with the Splunk app where the report is saved, and REPORT with the name of the report.

e.g.:

| loadjob savedsearch="bhjohns:engineering:customer configurations"

also make sure to extend the time range of the search as I believe it just pulls the last run as long as one exists within the time range, might as well extend longer to start (a few days), and then shrink to where you expect it to be once you get results returning as expected.

After you get the UI to return the data you expect, then you can try the curl again and just updated the search param in the curl based on what you see working in the UI

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...