Just replace USER with your username (may need to be the user owner/creator of the report haven't tested extensively), APP with the Splunk app where the report is saved, and REPORT with the name of the report.Į.g.: | loadjob savedsearch="bhjohns:engineering:customer configurations"Īlso make sure to extend the time range of the search as I believe it just pulls the last run as long as one exists within the time range, might as well extend longer to start (a few days), and then shrink to where you expect it to be once you get results returning as expected. You can perform searches using Splunk Web and the Splunk REST API. You can do the same search in the UI with | loadjob savedsearch="USER:APP:REPORT" Search with Splunk Web, CLI, or REST API. Here are the most common use cases for creating a custom REST. Create a custom endpoint to introduce additional capabilities into the Splunk Enterprise REST API to meet your specific needs. Looking at your curl, the saved search result you're pulling is at the path USER:APP:test, but that is the generic example I originally provided and probably has to be updated based on your user, app, and report name details.Ĭan you confirm that there is data in the UI? Essentially that curl is just exporting the results of the last run of a saved search. The Splunk Enterprise REST API provides the same functionality as Splunk Web, including running searches and managing knowledge objects and configurations. Also if it's helpful I checked and I believe our Splunk server version is 6.6.7 Hoping someone can shed some light on things as it's not making sense to me at the moment. Similarly, I tried updating the schedule via the API withĬurl -u user:password -request POST ' -data schedule_time=Īm I missing something? I see the scheduled view and it's scheduled in the UI but I can't figure out any way to see or access the schedule or history via the API. but no matter what schedule I set or modify in the UI, the results always showĬannot find saved search with name '_ScheduledView_test'.Įven though I know it ran twice in the last day and I can see the results in the UI. Via the API I can fetch the saved report named test like this: I've tried a few different schedules and it ran twice earlier today, but at the moment I have it on the cron schedule of 0 1 * * 4 (1 on Thursdays). In the UI I've created a report named test. I'm looking to pull some aggregate information out of Splunk via API requests but wanted to pre-build the data set using a scheduled report in Splunk so that the API request will return faster just pulling the results of the last run vs running the search itself before returning results. Hoping someone can provide some guidance. Remember, you need to have the Search capability in Splunk. ![]() Take a look at the screenshot below which queries the /services/search/jobs endpoint to stream in the results of the search as they come in. I know there have been a few posts on this topic, but I've been messing with it most of the day and the other posts weren't able to help me reach a solution. Way 2: Query the REST API to show the results by using an export on the search name which will run the search and get the results without polling.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |