Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use curl to collect data into summary index

wanderingHeight
New Member
‎07-01-2021 09:34 AM

Is there an API that I could use to trigger a saved search that can collect data from an index into a summary index? 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 09:43 AM

Try  saved/searches/{name}/dispatch.  See https://docs.splunk.com/Documentation/Splunk/8.2.1/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D....

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

wanderingHeight
New Member
‎07-01-2021 10:18 AM

Thank you for your response. I don't think /dispatch is what I'm looking for. 

I have an saved search that populates data into an index at a scheduled time. This index in turn collects that data into a summary index which is used to display it on one of our Visualizations dashboards. The savedsearches.conf uses the action.summary_index and action.summary_index._name to collect this data. I was wondering if there was an api that can be used to collect data from a regular index into a summary index. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 11:05 AM

The dispatch endpoint triggers a saved search, which is what the OP asked for.

If you need an API to do any other search activity then you need to submit a new search job.  See https://docs.splunk.com/Documentation/Splunk/8.2.1/RESTREF/RESTsearch#search.2Fjobs The job will contain the SPL needed to do what you want done, including a collect command.  However, it sounds like the API will be doing the same thing the scheduled search is doing already so why bother?  What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...