Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do i get the raw events from REST API from a saved search

EdSplunk
Explorer
‎05-06-2011 10:53 AM

I have created a saved search that runs every minute. I have opted to run a perl script as the alert option. Splunk passes in the search id to the script as one of it's parameters. Whenever I try to retrieve the events via REST, I get a blank page.

Here's what I run to get the events:
https://server:8089/services/search/jobs/my_search_id/events?output_mode=raw

I AM able to get the RESULTS though:
https://server:8089/services/search/jobs/my_search_id/results

Tags (3)
Reply

sideview
SplunkTrust
SplunkTrust
‎05-06-2011 11:46 PM

Splunk tends to kick off searches in the most efficient way possible. One way it speeds things up is that any fields that aren't referenced in the search wont be extracted or summarized. But another way is that unless someone sets the 'status_buckets' argument (on the dispatch POST) to something greater than 0, then it will preserve only the final results -- it wont preserve the raw events nor any bucketed summary information by time.

Note of course, if the search you are running does NOT have any reporting commands on it, the results and the events are the same -- ie you'd get the exact same results from the results endpoint as you would from the events endpoint.

But anyway when you're running scheduled reports, just set 

dispatch.buckets = 1

and that will basically tell Splunk to keep the events around, accessible through the events endpoint, and incidentally also the field summaries around, accessible through the summary endpoint.

You can see a little more background in this other answer:

http://splunk-base.splunk.com/answers/4028/job-summary-endpoint-fatal-error

And the UI Examples app has some pages talking about how status_buckets and it's cousin required_field_list are set by the views, and how this can effect performance. For more reading there pull down the "ui examples" app from Splunkbase and under "Advanced XML" you'll see several views with examples and docs, called "Affecting Search Performance".

And they are mentioned briefly in the REST docs although really I wish it would explain them a little more:

http://www.splunk.com/base/Documentation/4.2.1/Developer/RESTSearch#POST

Reply

EdSplunk
Explorer
‎09-08-2011 02:05 PM

What are the implications of this change to the performance of splunk?

Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...