Splunk Search

How to get alert result through API?

BrianLam
Engager

I'm calling the API from BTP IS and want to get the result of an alert that I created from before. My alert name is PRD - Daily CCS Integrations Error Report, not quite sure what's the correct syntax of the URL and command to get the result.

Tags (3)
0 Karma
1 Solution

tscroggins
Influencer

Hi @BrianLam,

I recommend enabling the Add to Triggered Alerts action and then using the /services/alerts/fired_alerts/{name} endpoint to get the most recent alert:

 

https://splunk:8089/servicesNS/-/-/alerts/fired_alerts/foo?output_mode=json&count=1&sort_dir=desc&sort_key=published

 

Then use the related job link at .entry[0].links.job to construct a results URI:

 

{
  /* ... */
  "entry": [
    /* ... */
    "links": {
      /* ... */
      "job": "/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx",
      /* ... */
    }
  ],
  /* ... */
}

 

 

https://splunk:8089/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx/results?output_mode=json

 

In this example, the search named foo is owned by the admin user in the search app. You can find more information on using namespaces at https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#Namespace.

View solution in original post

BrianLam
Engager

Thanks for the help @tscroggins.

I was able to get the result calling the API. But I had to fill in the {search_id} manually, is there a way to get the {search_id} through the endpoint or I have to retrieve it from a parameter in another GET request.

I need this because it's a daily alert and I would need to get the result through the API endpoint daily as well in BTP IS

0 Karma

tscroggins
Influencer

Hi @BrianLam,

I recommend enabling the Add to Triggered Alerts action and then using the /services/alerts/fired_alerts/{name} endpoint to get the most recent alert:

 

https://splunk:8089/servicesNS/-/-/alerts/fired_alerts/foo?output_mode=json&count=1&sort_dir=desc&sort_key=published

 

Then use the related job link at .entry[0].links.job to construct a results URI:

 

{
  /* ... */
  "entry": [
    /* ... */
    "links": {
      /* ... */
      "job": "/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx",
      /* ... */
    }
  ],
  /* ... */
}

 

 

https://splunk:8089/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx/results?output_mode=json

 

In this example, the search named foo is owned by the admin user in the search app. You can find more information on using namespaces at https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#Namespace.

tscroggins
Influencer

Hi @BrianLam,

You can retrieve the search results using the search/v2/jobs/{search_id}/results endpoint. See https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fv2.2Fjobs.2F.7Bsearc....

The search_id value is specific to the instance of the search that generated the alert.

It's a simple GET request. The default output mode is XML. If you want JSON output, pass the output_mode query parameter as part of the GET request:

https://splunk:8089/services/search/v2/jobs/scheduler__user__app__xxx_at_xxx_xxx/results?output_mode=json

 

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...