Splunk Search

Get action.script using REST/SDK

mchappidi
Explorer

Hello

Is there any way to get action.script/action.script.filename from searches/jobs using REST/SDK?
I am aware, we can get from savedsearches.

Tags (3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

No, the search/jobs endpoint doesn't provide that info. You'd have to take the report's ID built from the label, user, and app returned by search/jobs and look at the saved/searches endpoint as you found out already 🙂

Take a look at this example to illustrate:

| rest /services/search/jobs search="isSavedSearch=1" | rename eai:acl.app as app | fields author app label sid | map search="rest /servicesNS/$author$/$app$/saved/searches/$label$ | fields title action.script action.script.filename | eval sid=\"$sid$\""
0 Karma

mchappidi
Explorer

That's issue. So I am not able to pick them in map searching!!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Doesn't match how?

0 Karma

mchappidi
Explorer

Yes! But "isSavedSearch=1" count(360) doesn't match with "|rest /services/saved/searches" count(90).

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The search I posted is a working example over here, so posting another doesn't seem useful to me.

Instead, you should work your way to what's going wrong on your end. Start with this:

| rest /services/saved/searches

That should list all your saved searches. Then add a user and the app:

| rest /servicesNS/user/app/saved/searches

That should list saved searches in that app. Then you add a saved search label to the end, and you should get details for that saved search. Confirm that's returned by the jobs call if it's a scheduled search.

mchappidi
Explorer

I hard-coded "author","app" and "label". I just mentioned as wildcard. Is this right way to collect from savedsearch ? Any example provided helps a lot.
Thank you again!!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I don't think wildcards work there.

0 Karma

mchappidi
Explorer

Yes! I tried. But I didn't get any output.
|rest/servicesNS/* /* /saved/searches/* | fields title action.script action.script.filename |

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Does running a single REST call for a saved search work based on values taken from the jobs call manually?

0 Karma

mchappidi
Explorer

I did for 500. But no result.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Heh, it appears map may not like maxsearches=0 for an infinite number of searches, try setting it to 1000 instead.

mchappidi
Explorer

yes, I did that. But it is returning "None"/No Results found.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

By default the map command will only execute ten searches, see http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/map for reference. Add maxsearches=0 to disable the maximum entirely.

Consider filtering before the map, for example by app or search name - unless you want to see all 354 entries.

mchappidi
Explorer

Thanks for the immediate reply. I understood the logic.
But I got the following error:
"The search result count (354) exceeds maximum (10), using max. To override it, set maxsearches appropriately."

I'm new to splunk search. Any help would be great.
Thank you again!!

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...