Hi all,
Before I dive into the issue, I'd like to explain the goal:
I have a search that returns some fields including an SID. From there I am attempting a left join on the SID to include the results by using the |REST endpoint. I've successfully returned results via a curl, but as of yet I have not succeeded using |REST .
I have attempted these tests on both expired and non-expired SIDs.
Below is an example of successfully returning results via curl:
curl -u admin:changeme -k https://localhost:8089/servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/results/
If I run the following, I successfully retrieve all the various metadata about the search's dispatch itself:
| REST /servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/
However, when I attempt to retrieve the results with the following, I get an error about failing to fetch the rest endpoint:
| REST /servicesNS/admin/SplunkEnterpriseSecuritySuite/search/jobs/1545072559.25/results
I've also tried various forms of GET as described here:
https://docs.splunk.com/Documentation/Splunk/7.0.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D.2Fdispatch
All of this leads me to believe that this is not possible and that the |REST command does not have access to all of the endpoints available via curl. If this is the case, is there a way to do what I'm attempting in another fashion, or do I need to resort to a script? A script is possible, but ideally, I'd like to keep it entirely in SPL.
Edit: We are also considering using |loadjob but the sid argument seems to treat fields as literal strings. specifying savedsearch= has potential, but requires a user:app:search definition, which seems clumsy.
... View more