Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use curl to collect data into summary index

wanderingHeight
New Member
‎07-01-2021 09:34 AM

Is there an API that I could use to trigger a saved search that can collect data from an index into a summary index? 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 09:43 AM

Try  saved/searches/{name}/dispatch.  See https://docs.splunk.com/Documentation/Splunk/8.2.1/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D....

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

wanderingHeight
New Member
‎07-01-2021 10:18 AM

Thank you for your response. I don't think /dispatch is what I'm looking for. 

I have an saved search that populates data into an index at a scheduled time. This index in turn collects that data into a summary index which is used to display it on one of our Visualizations dashboards. The savedsearches.conf uses the action.summary_index and action.summary_index._name to collect this data. I was wondering if there was an api that can be used to collect data from a regular index into a summary index. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 11:05 AM

The dispatch endpoint triggers a saved search, which is what the OP asked for.

If you need an API to do any other search activity then you need to submit a new search job.  See https://docs.splunk.com/Documentation/Splunk/8.2.1/RESTREF/RESTsearch#search.2Fjobs The job will contain the SPL needed to do what you want done, including a collect command.  However, it sounds like the API will be doing the same thing the scheduled search is doing already so why bother?  What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...