Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Finding specific searches in splunk via Rest API calls

rmoreira
Splunk Employee
Splunk Employee
‎06-15-2012 08:54 AM

I know I can get all of the saved searches from the API, which I can use in order to get information about all searches. I can do this, but I would like to avoid having to parse through all of this information every time I want to access a search. I would like to know if there is a way to get the information for a specific search, including the search ID, given the search name. Currently I am using the following method in the API to get a search ID

            /services/search/jobs –d "search=search <search string>"

But is there a similar method where I can just call something like the following for a saved search, say saved_search_name, in order to get the search ID?

            /services/search/jobs –d savedSearch=saved_search_name

Thanks.

Tags (3)
Reply

ineeman
Splunk Employee
Splunk Employee
‎07-11-2012 06:42 PM

The REST API follows a collection/entity model, which just means it has a bunch of collections (search jobs, saved searches, apps, users, views, etc) and each one of those collections is just a list of entities (a single search job, a single saved searches).

For example, the endpoint for all saved searches:
/saved/searches

And the endpoint to get a particular saved search:
/saved/searches/{name}

And in particular for saved searches, if you want to get a list of their running history, you can do:
/saved/searches/{name}/history

Which will give you back job information for that particular saved search. You can read more about collections/entities here and specifically about /history here

Reply

ziegfried
Influencer
‎06-15-2012 02:13 PM

You can query for specific attributes of the jobs. Eg.

Search for Jobs of a saved search "My Search"

/services/search/jobs?search=label%3DMy%20Search

or with a name starting with "My Search"

/services/search/jobs?search=label%3DMy%20Search*

Note that the value of the search parameter needs to be URL-encoded.

label=My Search* ==> label%3DMy%20Search*

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...