Is it possible to dispatch a scheduled report as t...

fralcalde · ‎12-31-2020

What i am trying to accomplish is forcing the scheduler to dispatch a scheduled saved search throgh REST in order to update it's cached results.

here's what i have working so far:

1 scheduled report with search:

| makeresults Count=1
| eval embed = "embeded report"
| eval argumento = $args.argument$
| table embed, argumento

Then I execute:

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/Admin_Tools/saved/searches/embed_report/dispatch -d args.argument=1

And get the response:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <sid>admin__admin_QWRtaW5fVG9vbHM__RMD5e57d89b9c983845a_at_1609434492_13436</sid>
</response>

With the sid i can see that the argument was passed correctly:

curl -k -u admin:pass https://localhost:8089/services/search/jobs/admin__admin_QWRtaW5fVG9vbHM__RMD5e57d89b9c983845a_at_1609434492_13436/results

<?xml version='1.0' encoding='UTF-8'?>
<results preview='0'>
<meta>
<fieldOrder>
<field>embed</field>
<field>argumento</field>
</fieldOrder>
</meta>
	<result offset='0'>
		<field k='embed'>
			<value><text>embeded report</text></value>
		</field>
		<field k='argumento'>
			<value><text>1</text></value>
		</field>
	</result>
</results>

The thing is i want to have this report embbeded in a web app. From this app, perform a request to the REST API with this argument and have the embbeded report updated.

However, the embbeded report shows the last cached results which are saved in a job with a name like: scheduler__nobody_XXXX-XXXX-XXXXXX

Any ideas how this can be achieved?
Thank you.

Is it possible to dispatch a scheduled report as the scheduler and pass arguments through REST API ?

other

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...