Get the results of a Report per REST

hypePG · ‎01-29-2018

Hey everybody,

I am pretty sure this question already was asked, but I cant find help anywhere else.
I got a report called "test" created from User "Bob" in an app called "nmon". With a technical user which has the permissions to read and execute this report I want to get the result via REST. Like I said permissions are set.

curl -u u:p -k https://splunk:8089/servicesNS/-/-/saved/searches/test/ -X GET -d output_mode=json gives me the details of the report.

curl -u u:p -k https://splunk:8089/services/saved/searches/test/ -X GET -d output_mode=json should work, but just gives me the error "could not find object test"

My understanding of working with savedsearches via REST was, that in a first step i need to dispatch the search to get the results with the help of the SID. This doesnt work either. Because on this curl curl -u u:p -k https://splunk:8089/servicesNS/-/-/saved/searches/test/dispatch -X GET -d output_mode=json I get the following error
"Invalid custom action for this internal handler (handler: savedsearch, custom action: dispatch, eai action: list)." ...

Please help, what am I missing?

Thanks in advance,
Max

somesoni2 · ‎01-29-2018

See this
https://answers.splunk.com/answers/525791/how-to-execute-a-saved-search-using-splunks-rest-a.html

Get the results of a Report per REST

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector