Splunk Search

Using REST API search endpoints to retrieve a saved search SID and search results, why are no results returned?

ks2211
Engager

Hi All,

I'm trying to build a mini SDK for the REST API using Golang (focusing on the search/saved search endpoints at the moment). I've got alot of the endpoints working individually where I can create saved search, dispatch, delete, etc. Same with searching where I can search jobs, get search results of a job, etc.

However,
When I try to run multiple methods in succession (mainly Dispatch Saved Search to get SID and then get Search Results for given SID), it fails. The Dispatch method returns the SID.
When I try to run the Search Results GET with the SID though, it returns nothing.

Any one have any suggetsions on this?

Thanks

0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

Dispatch runs a search, and then if you're immediately trying to get <sid> results, it might not be done (and there may be no results). You could consider an intermediary step at /search/jobs/<sid> to see the value of isDone....

View solution in original post

sowings
Splunk Employee
Splunk Employee

Dispatch runs a search, and then if you're immediately trying to get <sid> results, it might not be done (and there may be no results). You could consider an intermediary step at /search/jobs/<sid> to see the value of isDone....

ks2211
Engager

Ahhhhhhh this is perfect thank you! Now it works fine 😄

0 Karma

Ravimrawi
New Member

I'm unable to get the sid for my search rather I'm getting the below details. Please assist

curl -s -k -u 'hdcauser:hdcauser123' -o - https://splunkapi.homedepot.com:8089/services/search/jobs -d "search+${ENCODED_QRY}"|head

https://splunkapi.homedepot.com:8089/services/search/jobs
2016-04-20T11:22:46-04:00

<name>Splunk</name>
0 Karma

Ravimrawi
New Member

--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0 Karma

Ravimrawi
New Member

COuld you tell me how to get rid all these texts and get only the sid ?

0 Karma

ks2211
Engager

Hey so I just had a question regarding this--is there a good way to check the status of the job and get the SID and then get the results?

Currently, I'm hitting the endpoint /search/jobs/ but I'm doing a set interval (or time.Sleep in Golang's case) to pause the program at this state until the job is "done".

Is there a way to not pause and I guess poll this endpoint (not sure if this is correct terminology?)

0 Karma

sowings
Splunk Employee
Splunk Employee

Can you provide the paths to the endpoints you're querying? I'm not sure which of several possible endpoints you mean by "Search Results GET".

0 Karma

ks2211
Engager

So I use this one
"saved/searches/{name}/dispatch" to get the SID

Then I try this one
"search/jobs/{search_id}/results" to get the results of the saved search

The SID returns fine. But I can't get the results back--for whatever reason.
The request URL when the code runs returns the data fine in the browser/curl request. However, it seems like my code isn't going through to hit the endpoint after the first time.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...