Splunk Dev

API call to retrieve information about a search when the search name contains brackets

CKM
New Member

I have been using the Splunk API from within a Python script to retrieve information about saved searches using a call to the endpoint:

 

hxxps://<splunk_server>/-/-/saved/searches/<name_of_saved_search>?output_mode=json

 

The <name_of_saved_search> has been URL encoded to deal with some punctuation (including '/'), using the Python function:

 

name_of_searched_search = urllib.parse.quote(search_name, safe='')

 

It has been working so far, but recently I encountered an issue when the name of the saved search contains square brackets (e.g. "[123] My Search")

Even after URL encoding, Splunk's API just does not accept the API call at the endpoint:

 

hxxps://<splunk_server>/-/-/saved/searches/%5B123%5D%20My%20Search?output_mode=json

 

and returns a response with HTTP status code of 404 (Not Found).

I am not sure what else I should be doing to handle the square brackets in the name of the saved search to make the API call work.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...