Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to run a saved search with SDK?

zacharysyoung
Explorer
‎06-06-2012 12:42 PM

I'm new to Splunk, and am trying to run a saved search with the Python SDK, with the client module (not binding), only I don't understand the SDK model well enough (probably don't know Splunk itself well enough either). I can list all saved searches with saved_searches.py or a particular search with saved_search/saved_search.py, and I can run a one-off search:

job  = splunk.jobs.create('search sourcetype=foo earliest=-60m')

but I don't see an interface for running a saved search.

Can the client module run a saved search?

Thank you,

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

apruneda_splunk
Splunk Employee
Splunk Employee
‎06-06-2012 01:17 PM

Yes it certainly can. To run a saved search, use splunklib.client.SavedSearch.dispatch() (see the reference docs here: http://docs.splunk.com/DocumentationStatic/PythonSDK/0.8Beta/client.html#splunklib.client.SavedSearc... ).

The saved search example shows how to list your saved searches, but not how to run one. BUT, you can see an example of how to run a saved search in the unit tests for saved_search (/test/test_saved_search.py). Look for "def test_dispatch(self)", which tests various things such as enumerating saved searches, deleting one, creating one, but also running one. This part of the test case runs a search, gets back a job ID, waits for the job to finish, gets the results: 

    ...
    job = saved_search.dispatch()
    testlib.wait(job, lambda job: bool(int(job['isDone'])))
    job.results().close()
    job.cancel()
    ...

In general, the unit tests are a good place to look for examples of how to use the API.

View solution in original post

Reply
Solved! Jump to solution
Solution

apruneda_splunk
Splunk Employee
Splunk Employee
‎06-06-2012 01:17 PM

Yes it certainly can. To run a saved search, use splunklib.client.SavedSearch.dispatch() (see the reference docs here: http://docs.splunk.com/DocumentationStatic/PythonSDK/0.8Beta/client.html#splunklib.client.SavedSearc... ).

The saved search example shows how to list your saved searches, but not how to run one. BUT, you can see an example of how to run a saved search in the unit tests for saved_search (/test/test_saved_search.py). Look for "def test_dispatch(self)", which tests various things such as enumerating saved searches, deleting one, creating one, but also running one. This part of the test case runs a search, gets back a job ID, waits for the job to finish, gets the results: 

    ...
    job = saved_search.dispatch()
    testlib.wait(job, lambda job: bool(int(job['isDone'])))
    job.results().close()
    job.cancel()
    ...

In general, the unit tests are a good place to look for examples of how to use the API.

Reply
Solved! Jump to solution

zacharysyoung
Explorer
‎06-06-2012 01:59 PM

Thank you, Apruneda. This is exactly the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...