Re: How to call a saved search from a script which...

jitsinha · ‎03-26-2015

Hii,

Lets say I have an alert where I trigger a script based on some condition.

Now my question is, is it possible to call another saved search from that script??

I have already created a script through which I call a saved search but problem lies within the authorization I guess, as while executing its asking for my credentials.

All is summary, is it possible to call saved search from another one based on some condition??

kamal_jagga · ‎03-25-2016

Create 1st search and add the name of your script.
In script, use the curl command to trigger the 2nd search. In the script save the password directly and restrict the access of script.
Or create another file perms where you can save 64bit encrypted password and read the password in the first script from there.

sidekix24 · ‎03-30-2016

Thanks Kamal,

Do you have a sample script for triggering that 2nd search?

Thanks again

sidekix24 · ‎03-16-2016

jitsinha,

Did you ever figure out a solution for this? I'm looking to do something similar. If an alert gets triggered from one report, we need another search to run as part of that alert.

Thanks

Chris

baerts · ‎03-30-2015

You could configure a command in commands.conf and set passAuth=true, so splunk will pas an authentication token to stdin of the script/command. You can process this in your script with:

sessionKey = sys.stdin.readline().strip()
tokenize = re.match( r'(.)(.)

jitsinha · ‎03-31-2015

Sorry limited knowledge from command.conf front. If possible would you please elaborate?

baerts · ‎03-31-2015

Hi Jitsinha!
Half of my answer was gone i realise 🙂 you could create a script that performs your wanted actions (a search) against the REST API. You can access the REST API with the auth token that is passed when configured in commands.conf. In that case, you don't create a spunk alert, but append your script directly to the search you wanted to create the alert on: | script python . Maybe a bit of a long shot though .....

jitsinha · ‎03-31-2015

Thanks baerts for your quick response.
Sorry I might not be clear in my question.
Actually I want to trigger a second saved search based on the completion status of the first search.

So lets say I have one saved search "A". I have scheduled is to run at 1Am everyday. Now this search basically a summary search which populates a summary index "IDX-A".
Now I have another saved search "B" which extract the information from summary index IDX-A and do some validation.

Now All what I want to do is to call this saved search "B" from a script which I will be calling from saved search "A"

jitsinha · ‎03-30-2015

Thankx musskopf.

But the problem lies with credential sharing. As it will be visible to all persons having access to that script.

Any alternative/ tweak??

musskopf · ‎03-29-2015

So.. are you calling the following search using the splunk console or api? Both you should be able to pass the credentials, for example:

./splunk search 'index=_internal | fields _time | head 1 ' -auth 'admin:secret123'

How to call a saved search from a script which is triggered from another saved search??

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!