Splunk Search

How to execute a saved search using Splunk's REST API

I know this question has been asked a few times but none of the answers seem to work for me.
I have a saved search called usernameSearch and want to execute it synchronously using Splunk's REST API.

Executing POST https://localhost:8089/services/saved/searches/usernameSearch/dispatch gives me the following response but not the results of the search. How can I possibly get the result synchronously ?

<sid>admin__admin__twsdashboard__usernameSearch_at_1493721538_18</sid>

1 Solution

Communicator

Hi,

Please try:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search=" savedsearch <saved_search_name>"

You can also use the following if you would like the results in CSV format:

curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv -d search=" savedsearch <saved_search_name>"

Kind regards,

View solution in original post

New Member

I assume you're looking for more like a fetch call??

Using the npm library axios I would do

axios.get(url, {
  auth: {username: 'username', password: 'password'},
  params: {output_mode: 'json', 'search': 'savedsearch usernameSearch'},
})
.then((response)=>{
  console.log(response);
})
.catch((err)=>{
  console.log('err', err);
});
0 Karma

Communicator

Hi,

Please try:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search=" savedsearch <saved_search_name>"

You can also use the following if you would like the results in CSV format:

curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv -d search=" savedsearch <saved_search_name>"

Kind regards,

View solution in original post

Explorer

@hhGA I m trying to get saved search results from browser, so i m using below url

https://hostname:8089/servicesNS/nobody/OMEGA/search/jobs/export?output_mode=json&count=1&search=sav... <savedsearch_name>

I m getting below output , anyidea wht is wrong here

{"preview":false,"lastrow":true}

0 Karma

Path Finder

{"preview":false,"lastrow":true} is returned when the saved search has 0 results.

0 Karma

Thanks a lot. This works perfectly !

0 Karma

Communicator

You're welcome.

0 Karma