Splunk Search

How to execute a saved search using Splunk's REST API

subhashishfid
Engager

I know this question has been asked a few times but none of the answers seem to work for me.
I have a saved search called usernameSearch and want to execute it synchronously using Splunk's REST API.

Executing POST https://localhost:8089/services/saved/searches/usernameSearch/dispatch gives me the following response but not the results of the search. How can I possibly get the result synchronously ?

<sid>admin__admin__twsdashboard__usernameSearch_at_1493721538_18</sid>

1 Solution

hhGA
Communicator

Hi,

Please try:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search=" savedsearch <saved_search_name>"

You can also use the following if you would like the results in CSV format:

curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv -d search=" savedsearch <saved_search_name>"

Kind regards,

View solution in original post

AlisonHaire
New Member

I assume you're looking for more like a fetch call??

Using the npm library axios I would do

axios.get(url, {
  auth: {username: 'username', password: 'password'},
  params: {output_mode: 'json', 'search': 'savedsearch usernameSearch'},
})
.then((response)=>{
  console.log(response);
})
.catch((err)=>{
  console.log('err', err);
});
0 Karma

hhGA
Communicator

Hi,

Please try:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search=" savedsearch <saved_search_name>"

You can also use the following if you would like the results in CSV format:

curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv -d search=" savedsearch <saved_search_name>"

Kind regards,

revanthammineni
Path Finder

Hi.

I’m having an issue related to my savedsearch. I created a saved search and scheduled it. But it is not showing up when try with the API endpoint. 

/search/saved/searches.

I can only see few of the reports.

any recommendations?

TIA.

0 Karma

vasanthi77
Explorer

@hhGA I m trying to get saved search results from browser, so i m using below url

https://hostname:8089/servicesNS/nobody/OMEGA/search/jobs/export?output_mode=json&count=1&search=sav... <savedsearch_name>

I m getting below output , anyidea wht is wrong here

{"preview":false,"lastrow":true}

0 Karma

simon_lavigne
Path Finder

{"preview":false,"lastrow":true} is returned when the saved search has 0 results.

0 Karma

subhashishfid
Engager

Thanks a lot. This works perfectly !

0 Karma

hhGA
Communicator

You're welcome.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...