Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get alert result through API?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BrianLam,
I recommend enabling the Add to Triggered Alerts action and then using the /services/alerts/fired_alerts/{name} endpoint to get the most recent alert:
https://splunk:8089/servicesNS/-/-/alerts/fired_alerts/foo?output_mode=json&count=1&sort_dir=desc&sort_key=published
Then use the related job link at .entry[0].links.job to construct a results URI:
{
/* ... */
"entry": [
/* ... */
"links": {
/* ... */
"job": "/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx",
/* ... */
}
],
/* ... */
}
→
https://splunk:8089/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx/results?output_mode=json
In this example, the search named foo is owned by the admin user in the search app. You can find more information on using namespaces at https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#Namespace.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help @tscroggins.
I was able to get the result calling the API. But I had to fill in the {search_id} manually, is there a way to get the {search_id} through the endpoint or I have to retrieve it from a parameter in another GET request.
I need this because it's a daily alert and I would need to get the result through the API endpoint daily as well in BTP IS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BrianLam,
I recommend enabling the Add to Triggered Alerts action and then using the /services/alerts/fired_alerts/{name} endpoint to get the most recent alert:
https://splunk:8089/servicesNS/-/-/alerts/fired_alerts/foo?output_mode=json&count=1&sort_dir=desc&sort_key=published
Then use the related job link at .entry[0].links.job to construct a results URI:
{
/* ... */
"entry": [
/* ... */
"links": {
/* ... */
"job": "/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx",
/* ... */
}
],
/* ... */
}
→
https://splunk:8089/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx/results?output_mode=json
In this example, the search named foo is owned by the admin user in the search app. You can find more information on using namespaces at https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#Namespace.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BrianLam,
You can retrieve the search results using the search/v2/jobs/{search_id}/results endpoint. See https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fv2.2Fjobs.2F.7Bsearc....
The search_id value is specific to the instance of the search that generated the alert.
It's a simple GET request. The default output mode is XML. If you want JSON output, pass the output_mode query parameter as part of the GET request:
https://splunk:8089/services/search/v2/jobs/scheduler__user__app__xxx_at_xxx_xxx/results?output_mode=json
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
