Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to run a saved search with SDK?

zacharysyoung
Explorer
‎06-06-2012 12:42 PM

I'm new to Splunk, and am trying to run a saved search with the Python SDK, with the client module (not binding), only I don't understand the SDK model well enough (probably don't know Splunk itself well enough either). I can list all saved searches with saved_searches.py or a particular search with saved_search/saved_search.py, and I can run a one-off search:

job  = splunk.jobs.create('search sourcetype=foo earliest=-60m')

but I don't see an interface for running a saved search.

Can the client module run a saved search?

Thank you,

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

apruneda_splunk
Splunk Employee
Splunk Employee
‎06-06-2012 01:17 PM

Yes it certainly can. To run a saved search, use splunklib.client.SavedSearch.dispatch() (see the reference docs here: http://docs.splunk.com/DocumentationStatic/PythonSDK/0.8Beta/client.html#splunklib.client.SavedSearc... ).

The saved search example shows how to list your saved searches, but not how to run one. BUT, you can see an example of how to run a saved search in the unit tests for saved_search (/test/test_saved_search.py). Look for "def test_dispatch(self)", which tests various things such as enumerating saved searches, deleting one, creating one, but also running one. This part of the test case runs a search, gets back a job ID, waits for the job to finish, gets the results: 

    ...
    job = saved_search.dispatch()
    testlib.wait(job, lambda job: bool(int(job['isDone'])))
    job.results().close()
    job.cancel()
    ...

In general, the unit tests are a good place to look for examples of how to use the API.

View solution in original post

Reply
Solved! Jump to solution
Solution

apruneda_splunk
Splunk Employee
Splunk Employee
‎06-06-2012 01:17 PM

Yes it certainly can. To run a saved search, use splunklib.client.SavedSearch.dispatch() (see the reference docs here: http://docs.splunk.com/DocumentationStatic/PythonSDK/0.8Beta/client.html#splunklib.client.SavedSearc... ).

The saved search example shows how to list your saved searches, but not how to run one. BUT, you can see an example of how to run a saved search in the unit tests for saved_search (/test/test_saved_search.py). Look for "def test_dispatch(self)", which tests various things such as enumerating saved searches, deleting one, creating one, but also running one. This part of the test case runs a search, gets back a job ID, waits for the job to finish, gets the results: 

    ...
    job = saved_search.dispatch()
    testlib.wait(job, lambda job: bool(int(job['isDone'])))
    job.results().close()
    job.cancel()
    ...

In general, the unit tests are a good place to look for examples of how to use the API.

Reply
Solved! Jump to solution

zacharysyoung
Explorer
‎06-06-2012 01:59 PM

Thank you, Apruneda. This is exactly the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...