How to Pass span from REST API call

splunkingsplunk · ‎06-14-2012

Hi Everyone,

I am getting data to our monitoring dashboards from splunk. The dashboards display data for 2hr, 24hrs, 7 days. So I am able to provide earliest and latest time from rest api to the saved search. but also i have to change timechart span based on timeperiod(2hr:-span=5min , 24hrs:- span=1hr 7days:-span=1day). is there any away i can also pass span parameter to the saved search. so that i can minimize my saved searches from 20 to 5.

ineeman · ‎07-11-2012

Great question - I had to go ask someone 🙂

The answer is that yes, you can. If you create saved search called "Foo" with a query like this:

index=_internal | timechart span=$span$ count

You can then execute it by executing a search like this:

| savedsearch Foo span=1d

So from the REST API perspective, you would make a POST request to the search/jobs endpoint with the search parameter set to the above query.

Hopefully that makes sense - let me know if you need nay more clarification.

How to Pass span from REST API call

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to Pass span from REST API call

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES