Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: How to construct hyperlink from sid
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to construct hyperlink from sid
I am using REST API search endpoints to invoke a search. When the search completes, I get a SID from the json response. I then create an email with the search result. In additional, I want to include a hyperlink in the email that will take me to splunk displaying the same result (with the same criteria including the time window). Can I use the SID to do this (as long as the SID hasn't expired)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Wang,
Try the following URL, to open Search page with sid
It will return the same results as the original query and for the same time duration
http://localhost:8000/en-US/app/search/search?sid=your_sid
Please accept the answer if it works for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @wang,
You can achieve this, while creating new job using REST API please provide unique id to search job so that will act as SID
Something like curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal | stats count by host" -d id=mysearch_31102018114300
And after that you can create hyperlink with email so hyperlink should be like this http[s]://SEARCH_HEAD:PORT/app/APP_NAME/search?q=%7Cloadjob%20SID
Based on example I have provided with id=mysearch_31102018114300, hyperlink should be like this http[s]://SEARCH_HEAD:PORT/app/APP_NAME/search?q=%7Cloadjob%20mysearch_31102018114300
As I was not able to fetch latestime from job ID so we can't provide earliest and latest time in hyperlink however when you use loadjob it will exactly load same result when job ran with given timeframe.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this with the SID I got back from the response:
And got this error:
Error in 'SearchOperator:loadjob': The search artifact for job '1541017578.20031_E86B55B0-BB4E-4D2E-9BA0-23B22288B1CA' is not available because we cannot proxy an ad-hoc job in a searchhead cluster. Please run the search locally.
What does this mean?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, I didn't know that you are running Search Head Cluster, in SHC adhoc job will not be replicated to other members in same cluster and in your case job when you try to construct URL and hit that LB is redirecting it to other member on which job didn't run.
You can try something like this but I am not sure whether this will work or not, when you will fetch data from job with SID, you will able to find search head from searchProviders, when I ran 2-3 jobs generally Search Head will be at first position and Indexers will start from 2nd position. If this will be consistent in all jobs then you can fetch Search Head from there construct hyperlink with Search Head directly (Unfortunately you will not able to use VIP configured for SHC members in hyperlink.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
