Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk SOAR
- :
- How to Make a Search Result Shareable
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With SOAR's Splunk app (Splunk | Splunkbase), you can pull the SID of your search and append that to your Splunk instance's base URL. This is the same format as if you had clicked the share button in Splunk. Unfortunately, using the link returns "Permission Denied" because the SID hasn't actually been shared.
Does anyone know how to make the results of a search run by the Splunk app shareable?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared.
import urllib.parse
#This line won't change between different searches
base_url = "[splunk URL]/en-US/app/SplunkEnterpriseSecuritySuite/search?q="
#This should be dynamically built with whatever you're searching for.
my_search = "index=* | stats count by index"
#This is optional, Splunk will use your default if you don't include it
#Times should be epoch format
time_range = f'&earliest={[start]}&latest={[end]}'
#Urllib parse is required. It's the difference between "index=* | stats count by index" (human readable) and "index%3D%2A%20..." (working URL)
full_url = base_url + urllib.parse.quote(my_search) + time_range
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared.
import urllib.parse
#This line won't change between different searches
base_url = "[splunk URL]/en-US/app/SplunkEnterpriseSecuritySuite/search?q="
#This should be dynamically built with whatever you're searching for.
my_search = "index=* | stats count by index"
#This is optional, Splunk will use your default if you don't include it
#Times should be epoch format
time_range = f'&earliest={[start]}&latest={[end]}'
#Urllib parse is required. It's the difference between "index=* | stats count by index" (human readable) and "index%3D%2A%20..." (working URL)
full_url = base_url + urllib.parse.quote(my_search) + time_range
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've done something similar but put it as a saved search in an app and shared that. The app contained a dashboard that would load the results from the saved search. I forget the syntax but there is a trick to it and shouldn't be to hard to sort it out.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
