Splunk Search

How to execute a saved search using Splunk's REST API

subhashishfid
Engager

I know this question has been asked a few times but none of the answers seem to work for me.
I have a saved search called usernameSearch and want to execute it synchronously using Splunk's REST API.

Executing POST https://localhost:8089/services/saved/searches/usernameSearch/dispatch gives me the following response but not the results of the search. How can I possibly get the result synchronously ?

<sid>admin__admin__twsdashboard__usernameSearch_at_1493721538_18</sid>

1 Solution

hhGA
Communicator

Hi,

Please try:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search=" savedsearch <saved_search_name>"

You can also use the following if you would like the results in CSV format:

curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv -d search=" savedsearch <saved_search_name>"

Kind regards,

View solution in original post

AlisonHaire
New Member

I assume you're looking for more like a fetch call??

Using the npm library axios I would do

axios.get(url, {
  auth: {username: 'username', password: 'password'},
  params: {output_mode: 'json', 'search': 'savedsearch usernameSearch'},
})
.then((response)=>{
  console.log(response);
})
.catch((err)=>{
  console.log('err', err);
});
0 Karma

hhGA
Communicator

Hi,

Please try:
curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search=" savedsearch <saved_search_name>"

You can also use the following if you would like the results in CSV format:

curl --silent -k -u '<username>:<password>' https://localhost:8089/servicesNS/admin/search/search/jobs/export?output_mode=csv -d search=" savedsearch <saved_search_name>"

Kind regards,

revanthammineni
Path Finder

Hi.

I’m having an issue related to my savedsearch. I created a saved search and scheduled it. But it is not showing up when try with the API endpoint. 

/search/saved/searches.

I can only see few of the reports.

any recommendations?

TIA.

0 Karma

vasanthi77
Explorer

@hhGA I m trying to get saved search results from browser, so i m using below url

https://hostname:8089/servicesNS/nobody/OMEGA/search/jobs/export?output_mode=json&count=1&search=sav... <savedsearch_name>

I m getting below output , anyidea wht is wrong here

{"preview":false,"lastrow":true}

0 Karma

simon_lavigne
Path Finder

{"preview":false,"lastrow":true} is returned when the saved search has 0 results.

0 Karma

subhashishfid
Engager

Thanks a lot. This works perfectly !

0 Karma

hhGA
Communicator

You're welcome.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...