- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to execute a saved search using Splunk's REST ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this question has been asked a few times but none of the answers seem to work for me.
I have a saved search called usernameSearch and want to execute it synchronously using Splunk's REST API.
Executing POST https://localhost:8089/services/saved/searches/usernameSearch/dispatch gives me the following response but not the results of the search. How can I possibly get the result synchronously ?
<sid>admin__admin__twsdashboard__usernameSearch_at_1493721538_18</sid>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please try:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search=" savedsearch <saved_search_name>"
You can also use the following if you would like the results in CSV format:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv -d search=" savedsearch <saved_search_name>"
Kind regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you're looking for more like a fetch call??
Using the npm library axios I would do
axios.get(url, {
auth: {username: 'username', password: 'password'},
params: {output_mode: 'json', 'search': 'savedsearch usernameSearch'},
})
.then((response)=>{
console.log(response);
})
.catch((err)=>{
console.log('err', err);
});
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please try:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search=" savedsearch <saved_search_name>"
You can also use the following if you would like the results in CSV format:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv -d search=" savedsearch <saved_search_name>"
Kind regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
I’m having an issue related to my savedsearch. I created a saved search and scheduled it. But it is not showing up when try with the API endpoint.
/search/saved/searches.
I can only see few of the reports.
any recommendations?
TIA.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@hhGA I m trying to get saved search results from browser, so i m using below url
https://hostname:8089/servicesNS/nobody/OMEGA/search/jobs/export?output_mode=json&count=1&search=sav... <savedsearch_name>
I m getting below output , anyidea wht is wrong here
{"preview":false,"lastrow":true}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
{"preview":false,"lastrow":true} is returned when the saved search has 0 results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot. This works perfectly !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
