Solved: What endpoint for schedule searches?

ben_leung · ‎06-13-2014

Using REST API to call curl command, what is the exact endpoint to hit in order to create a scheduled search with all options like expiration of alerts etc..

emechler_splunk · ‎06-14-2014

I believe the REST API Tutorial will be helpful here, it walks you through this exact example: http://dev.splunk.com/view/rest-api-tutorials/SP-CAAADQ6

curl  -k -u admin:changeme -d "name=web_errors" -d 'search="source%3D*web.log+status>400"' https://localhost:8089/servicesNS/admin/search/saved/searches

All of the options for the search/saved/searches endpoint can be found here (including alert.expires which defines the alert expiration time): http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches

View solution in original post

emechler_splunk · ‎06-14-2014

I believe the REST API Tutorial will be helpful here, it walks you through this exact example: http://dev.splunk.com/view/rest-api-tutorials/SP-CAAADQ6

curl  -k -u admin:changeme -d "name=web_errors" -d 'search="source%3D*web.log+status>400"' https://localhost:8089/servicesNS/admin/search/saved/searches

All of the options for the search/saved/searches endpoint can be found here (including alert.expires which defines the alert expiration time): http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#saved.2Fsearches

View solution in original post

_gkollias · ‎06-16-2015

Do you have to manually create the /servicesNS/... directory path, or is this created out of the box?

I can't seem to find it under /opt/splunk

Thanks!

What endpoint for schedule searches?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>