Solved: Add the search ID to my search results

forbushbl · ‎12-27-2017

Is it possible to add the search ID for the currently running search to the search results?

I have a report that populates a summary index and I have an alert running against the summary index which triggers a webhook. Here is the flow.

scheduled report --> summary index --> alert --> webhook

I would like to capture the search ID from the scheduled report somehow and store that in the summary index so that I could build a link back to the job results for the scheduled report. I figure if that if there is someway to access this ID in my search pipeline, I can just include it in my scheduled report and it will end up in the summary index.

Any help would be appreciated.

somesoni2 · ‎12-28-2017

You can include |addinfo command in your summary index search which gives info_sid field which contains current job SID. See more on addinfo command here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Addinfo

View solution in original post

somesoni2 · ‎12-28-2017

You can include |addinfo command in your summary index search which gives info_sid field which contains current job SID. See more on addinfo command here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Addinfo

forbushbl · ‎12-28-2017

This is exactly what I was looking for, thanks!

Add the search ID to my search results

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases