Reporting

How to call a saved search from a script which is triggered from another saved search??

jitsinha
Path Finder

Hii,

Lets say I have an alert where I trigger a script based on some condition.

Now my question is, is it possible to call another saved search from that script??

I have already created a script through which I call a saved search but problem lies within the authorization I guess, as while executing its asking for my credentials.

All is summary, is it possible to call saved search from another one based on some condition??

0 Karma

kamal_jagga
Contributor
  1. Create 1st search and add the name of your script.

  2. In script, use the curl command to trigger the 2nd search. In the script save the password directly and restrict the access of script.
    Or create another file perms where you can save 64bit encrypted password and read the password in the first script from there.

0 Karma

sidekix24
Path Finder

Thanks Kamal,

Do you have a sample script for triggering that 2nd search?

Thanks again

0 Karma

sidekix24
Path Finder

jitsinha,

Did you ever figure out a solution for this? I'm looking to do something similar. If an alert gets triggered from one report, we need another search to run as part of that alert.

Thanks

Chris

0 Karma

baerts
Path Finder

You could configure a command in commands.conf and set passAuth=true, so splunk will pas an authentication token to stdin of the script/command. You can process this in your script with:

sessionKey = sys.stdin.readline().strip()
tokenize = re.match( r'(.)(.)

0 Karma

jitsinha
Path Finder

Sorry limited knowledge from command.conf front. If possible would you please elaborate?

0 Karma

baerts
Path Finder

Hi Jitsinha!
Half of my answer was gone i realise 🙂 you could create a script that performs your wanted actions (a search) against the REST API. You can access the REST API with the auth token that is passed when configured in commands.conf. In that case, you don't create a spunk alert, but append your script directly to the search you wanted to create the alert on: | script python . Maybe a bit of a long shot though .....

0 Karma

jitsinha
Path Finder

Thanks baerts for your quick response.
Sorry I might not be clear in my question.
Actually I want to trigger a second saved search based on the completion status of the first search.

So lets say I have one saved search "A". I have scheduled is to run at 1Am everyday. Now this search basically a summary search which populates a summary index "IDX-A".
Now I have another saved search "B" which extract the information from summary index IDX-A and do some validation.

Now All what I want to do is to call this saved search "B" from a script which I will be calling from saved search "A"

0 Karma

jitsinha
Path Finder

Thankx musskopf.

But the problem lies with credential sharing. As it will be visible to all persons having access to that script.

Any alternative/ tweak??

0 Karma

musskopf
Builder

So.. are you calling the following search using the splunk console or api? Both you should be able to pass the credentials, for example:

./splunk search 'index=_internal | fields _time | head 1 ' -auth 'admin:secret123'

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...