Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using REST API search endpoints to retrieve a saved search SID and search results, why are no results returned?

ks2211
Engager
‎01-04-2016 08:25 AM

Hi All,

I'm trying to build a mini SDK for the REST API using Golang (focusing on the search/saved search endpoints at the moment). I've got alot of the endpoints working individually where I can create saved search, dispatch, delete, etc. Same with searching where I can search jobs, get search results of a job, etc.

However,
When I try to run multiple methods in succession (mainly Dispatch Saved Search to get SID and then get Search Results for given SID), it fails. The Dispatch method returns the SID.
When I try to run the Search Results GET with the SID though, it returns nothing.

Any one have any suggetsions on this?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎01-04-2016 08:47 AM

Dispatch runs a search, and then if you're immediately trying to get <sid> results, it might not be done (and there may be no results). You could consider an intermediary step at /search/jobs/<sid> to see the value of isDone....

View solution in original post

Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎01-04-2016 08:47 AM

Dispatch runs a search, and then if you're immediately trying to get <sid> results, it might not be done (and there may be no results). You could consider an intermediary step at /search/jobs/<sid> to see the value of isDone....

Reply
Solved! Jump to solution

ks2211
Engager
‎01-04-2016 09:21 AM

Ahhhhhhh this is perfect thank you! Now it works fine 😄

0 Karma
Reply
Solved! Jump to solution

Ravimrawi
New Member
‎04-20-2016 08:23 AM

I'm unable to get the sid for my search rather I'm getting the below details. Please assist

curl -s -k -u 'hdcauser:hdcauser123' -o - https://splunkapi.homedepot.com:8089/services/search/jobs -d "search+${ENCODED_QRY}"|head

https://splunkapi.homedepot.com:8089/services/search/jobs
2016-04-20T11:22:46-04:00

<name>Splunk</name>
0 Karma
Reply
Solved! Jump to solution

Ravimrawi
New Member
‎04-20-2016 08:23 AM

--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0 Karma
Reply
Solved! Jump to solution

Ravimrawi
New Member
‎04-20-2016 08:28 AM

COuld you tell me how to get rid all these texts and get only the sid ?

0 Karma
Reply
Solved! Jump to solution

ks2211
Engager
‎01-05-2016 11:01 AM

Hey so I just had a question regarding this--is there a good way to check the status of the job and get the SID and then get the results?

Currently, I'm hitting the endpoint /search/jobs/ but I'm doing a set interval (or time.Sleep in Golang's case) to pause the program at this state until the job is "done".

Is there a way to not pause and I guess poll this endpoint (not sure if this is correct terminology?)

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎01-04-2016 08:38 AM

Can you provide the paths to the endpoints you're querying? I'm not sure which of several possible endpoints you mean by "Search Results GET".

0 Karma
Reply
Solved! Jump to solution

ks2211
Engager
‎01-04-2016 08:42 AM

So I use this one
"saved/searches/{name}/dispatch" to get the SID

Then I try this one
"search/jobs/{search_id}/results" to get the results of the saved search

The SID returns fine. But I can't get the results back--for whatever reason.
The request URL when the code runs returns the data fine in the browser/curl request. However, it seems like my code isn't going through to hit the endpoint after the first time.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...