Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to run a saved search with SDK?

zacharysyoung
Explorer
‎06-06-2012 12:42 PM

I'm new to Splunk, and am trying to run a saved search with the Python SDK, with the client module (not binding), only I don't understand the SDK model well enough (probably don't know Splunk itself well enough either). I can list all saved searches with saved_searches.py or a particular search with saved_search/saved_search.py, and I can run a one-off search:

job  = splunk.jobs.create('search sourcetype=foo earliest=-60m')

but I don't see an interface for running a saved search.

Can the client module run a saved search?

Thank you,

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

apruneda_splunk
Splunk Employee
Splunk Employee
‎06-06-2012 01:17 PM

Yes it certainly can. To run a saved search, use splunklib.client.SavedSearch.dispatch() (see the reference docs here: http://docs.splunk.com/DocumentationStatic/PythonSDK/0.8Beta/client.html#splunklib.client.SavedSearc... ).

The saved search example shows how to list your saved searches, but not how to run one. BUT, you can see an example of how to run a saved search in the unit tests for saved_search (/test/test_saved_search.py). Look for "def test_dispatch(self)", which tests various things such as enumerating saved searches, deleting one, creating one, but also running one. This part of the test case runs a search, gets back a job ID, waits for the job to finish, gets the results: 

    ...
    job = saved_search.dispatch()
    testlib.wait(job, lambda job: bool(int(job['isDone'])))
    job.results().close()
    job.cancel()
    ...

In general, the unit tests are a good place to look for examples of how to use the API.

View solution in original post

Reply
Solved! Jump to solution
Solution

apruneda_splunk
Splunk Employee
Splunk Employee
‎06-06-2012 01:17 PM

Yes it certainly can. To run a saved search, use splunklib.client.SavedSearch.dispatch() (see the reference docs here: http://docs.splunk.com/DocumentationStatic/PythonSDK/0.8Beta/client.html#splunklib.client.SavedSearc... ).

The saved search example shows how to list your saved searches, but not how to run one. BUT, you can see an example of how to run a saved search in the unit tests for saved_search (/test/test_saved_search.py). Look for "def test_dispatch(self)", which tests various things such as enumerating saved searches, deleting one, creating one, but also running one. This part of the test case runs a search, gets back a job ID, waits for the job to finish, gets the results: 

    ...
    job = saved_search.dispatch()
    testlib.wait(job, lambda job: bool(int(job['isDone'])))
    job.results().close()
    job.cancel()
    ...

In general, the unit tests are a good place to look for examples of how to use the API.

Reply
Solved! Jump to solution

zacharysyoung
Explorer
‎06-06-2012 01:59 PM

Thank you, Apruneda. This is exactly the answer.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...