Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Finding specific searches in splunk via Rest API calls

rmoreira
Splunk Employee
Splunk Employee
‎06-15-2012 08:54 AM

I know I can get all of the saved searches from the API, which I can use in order to get information about all searches. I can do this, but I would like to avoid having to parse through all of this information every time I want to access a search. I would like to know if there is a way to get the information for a specific search, including the search ID, given the search name. Currently I am using the following method in the API to get a search ID

            /services/search/jobs –d "search=search <search string>"

But is there a similar method where I can just call something like the following for a saved search, say saved_search_name, in order to get the search ID?

            /services/search/jobs –d savedSearch=saved_search_name

Thanks.

Tags (3)
Reply

ineeman
Splunk Employee
Splunk Employee
‎07-11-2012 06:42 PM

The REST API follows a collection/entity model, which just means it has a bunch of collections (search jobs, saved searches, apps, users, views, etc) and each one of those collections is just a list of entities (a single search job, a single saved searches).

For example, the endpoint for all saved searches:
/saved/searches

And the endpoint to get a particular saved search:
/saved/searches/{name}

And in particular for saved searches, if you want to get a list of their running history, you can do:
/saved/searches/{name}/history

Which will give you back job information for that particular saved search. You can read more about collections/entities here and specifically about /history here

Reply

ziegfried
Influencer
‎06-15-2012 02:13 PM

You can query for specific attributes of the jobs. Eg.

Search for Jobs of a saved search "My Search"

/services/search/jobs?search=label%3DMy%20Search

or with a name starting with "My Search"

/services/search/jobs?search=label%3DMy%20Search*

Note that the value of the search parameter needs to be URL-encoded.

label=My Search* ==> label%3DMy%20Search*

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top