How to Pass span from REST API call

splunkingsplunk · ‎06-14-2012

Hi Everyone,

I am getting data to our monitoring dashboards from splunk. The dashboards display data for 2hr, 24hrs, 7 days. So I am able to provide earliest and latest time from rest api to the saved search. but also i have to change timechart span based on timeperiod(2hr:-span=5min , 24hrs:- span=1hr 7days:-span=1day). is there any away i can also pass span parameter to the saved search. so that i can minimize my saved searches from 20 to 5.

ineeman · ‎07-11-2012

Great question - I had to go ask someone 🙂

The answer is that yes, you can. If you create saved search called "Foo" with a query like this:

index=_internal | timechart span=$span$ count

You can then execute it by executing a search like this:

| savedsearch Foo span=1d

So from the REST API perspective, you would make a POST request to the search/jobs endpoint with the search parameter set to the above query.

Hopefully that makes sense - let me know if you need nay more clarification.

How to Pass span from REST API call

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

How to Pass span from REST API call

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination