Splunk Search

Using REST API search endpoints to retrieve a saved search SID and search results, why are no results returned?

Engager

Hi All,

I'm trying to build a mini SDK for the REST API using Golang (focusing on the search/saved search endpoints at the moment). I've got alot of the endpoints working individually where I can create saved search, dispatch, delete, etc. Same with searching where I can search jobs, get search results of a job, etc.

However,
When I try to run multiple methods in succession (mainly Dispatch Saved Search to get SID and then get Search Results for given SID), it fails. The Dispatch method returns the SID.
When I try to run the Search Results GET with the SID though, it returns nothing.

Any one have any suggetsions on this?

Thanks

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Dispatch runs a search, and then if you're immediately trying to get <sid> results, it might not be done (and there may be no results). You could consider an intermediary step at /search/jobs/<sid> to see the value of isDone....

View solution in original post

Splunk Employee
Splunk Employee

Dispatch runs a search, and then if you're immediately trying to get <sid> results, it might not be done (and there may be no results). You could consider an intermediary step at /search/jobs/<sid> to see the value of isDone....

View solution in original post

Engager

Ahhhhhhh this is perfect thank you! Now it works fine 😄

0 Karma

New Member

I'm unable to get the sid for my search rather I'm getting the below details. Please assist

curl -s -k -u 'hdcauser:hdcauser123' -o - https://splunkapi.homedepot.com:8089/services/search/jobs -d "search+${ENCODED_QRY}"|head

https://splunkapi.homedepot.com:8089/services/search/jobs
2016-04-20T11:22:46-04:00

<name>Splunk</name>
0 Karma

New Member

--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0 Karma

New Member

COuld you tell me how to get rid all these texts and get only the sid ?

0 Karma

Engager

Hey so I just had a question regarding this--is there a good way to check the status of the job and get the SID and then get the results?

Currently, I'm hitting the endpoint /search/jobs/ but I'm doing a set interval (or time.Sleep in Golang's case) to pause the program at this state until the job is "done".

Is there a way to not pause and I guess poll this endpoint (not sure if this is correct terminology?)

0 Karma

Splunk Employee
Splunk Employee

Can you provide the paths to the endpoints you're querying? I'm not sure which of several possible endpoints you mean by "Search Results GET".

0 Karma

Engager

So I use this one
"saved/searches/{name}/dispatch" to get the SID

Then I try this one
"search/jobs/{search_id}/results" to get the results of the saved search

The SID returns fine. But I can't get the results back--for whatever reason.
The request URL when the code runs returns the data fine in the browser/curl request. However, it seems like my code isn't going through to hit the endpoint after the first time.

0 Karma