How to Pass span from REST API call

splunkingsplunk · ‎06-14-2012

Hi Everyone,

I am getting data to our monitoring dashboards from splunk. The dashboards display data for 2hr, 24hrs, 7 days. So I am able to provide earliest and latest time from rest api to the saved search. but also i have to change timechart span based on timeperiod(2hr:-span=5min , 24hrs:- span=1hr 7days:-span=1day). is there any away i can also pass span parameter to the saved search. so that i can minimize my saved searches from 20 to 5.

ineeman · ‎07-11-2012

Great question - I had to go ask someone 🙂

The answer is that yes, you can. If you create saved search called "Foo" with a query like this:

index=_internal | timechart span=$span$ count

You can then execute it by executing a search like this:

| savedsearch Foo span=1d

So from the REST API perspective, you would make a POST request to the search/jobs endpoint with the search parameter set to the above query.

Hopefully that makes sense - let me know if you need nay more clarification.

How to Pass span from REST API call

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation

How to Pass span from REST API call

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud