Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to start a saved search using REST API

mauhumor
Explorer
‎11-12-2010 01:23 AM

How to start a saved search using REST API URL?

I can make a GET the saves searchs, extract the 'search' expression and run it using a POST.

But I could not find any reference on how to start a job passing as an argument a saves search ID instead of the search expression.

Is there a another URL or parameter for that?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎11-13-2010 01:02 AM 
curl -k -u admin:changeme -d "search=savedsearch %22Errors%20in%20the%20last%2024%20hours%22" https://localhost:8089/services/search/jobs/

This will call a savedsearch named "Errors in the last 24 hours" - one of the default splunk saved searches..

Check this thread for some more info on how to run rest api searches, how to check if the search has finished, and how to get the results http://answers.splunk.com/questions/8940/

View solution in original post

Reply
Solved! Jump to solution

dishasaxena
Path Finder
‎08-09-2013 05:10 AM

You can get the search ID for the saved search by running below command:

curl -k -u user:password https://localhost:8089/servicesNS/admin/search/saved/searches/My_Saved_Search/dispatch -d "trigger_actions=1"

You will get a response like below:

admin__admin__search__RMD53566916a3c467274_at_1376044050_4161

Now you can get the output by running below command:

curl -k -u user:password https://localhost:8089/servicesNS/admin/search/search/jobs/admin__admin__search__RMD53566916a3c46727... --get  -d output_mode=csv -d count=10

Note: admin__admin__search__RMD53566916a3c467274_at_1376044050_4161 is the serach ID you received from output of above command.

Reply
Solved! Jump to solution

jgigliotti
Engager
‎06-17-2016 12:53 AM

I use the example to search ID for my saved search however get the following error, any assistance please thanks.

curl -k -u user:password https://localhost:8089/servicesNS/admin/search/saved/searches/My_Saved_Search/dispatch -d "trigger_action=1"


<msg type="ERROR">
 In handler 'savedsearch': Argument "trigger_action" is not supported by this handler.
0 Karma
Reply
Solved! Jump to solution

raugugliaro
New Member
‎02-14-2018 10:25 AM

Just FYI for anybody reading this thread its "trigger_actions" not "trigger_action"

0 Karma
Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎11-13-2010 01:02 AM 
curl -k -u admin:changeme -d "search=savedsearch %22Errors%20in%20the%20last%2024%20hours%22" https://localhost:8089/services/search/jobs/

This will call a savedsearch named "Errors in the last 24 hours" - one of the default splunk saved searches..

Check this thread for some more info on how to run rest api searches, how to check if the search has finished, and how to get the results http://answers.splunk.com/questions/8940/

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...