Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Finding specific searches in splunk via Rest API calls

rmoreira
Splunk Employee
Splunk Employee
‎06-15-2012 08:54 AM

I know I can get all of the saved searches from the API, which I can use in order to get information about all searches. I can do this, but I would like to avoid having to parse through all of this information every time I want to access a search. I would like to know if there is a way to get the information for a specific search, including the search ID, given the search name. Currently I am using the following method in the API to get a search ID

            /services/search/jobs –d "search=search <search string>"

But is there a similar method where I can just call something like the following for a saved search, say saved_search_name, in order to get the search ID?

            /services/search/jobs –d savedSearch=saved_search_name

Thanks.

Tags (3)
Reply

ineeman
Splunk Employee
Splunk Employee
‎07-11-2012 06:42 PM

The REST API follows a collection/entity model, which just means it has a bunch of collections (search jobs, saved searches, apps, users, views, etc) and each one of those collections is just a list of entities (a single search job, a single saved searches).

For example, the endpoint for all saved searches:
/saved/searches

And the endpoint to get a particular saved search:
/saved/searches/{name}

And in particular for saved searches, if you want to get a list of their running history, you can do:
/saved/searches/{name}/history

Which will give you back job information for that particular saved search. You can read more about collections/entities here and specifically about /history here

Reply

ziegfried
Influencer
‎06-15-2012 02:13 PM

You can query for specific attributes of the jobs. Eg.

Search for Jobs of a saved search "My Search"

/services/search/jobs?search=label%3DMy%20Search

or with a name starting with "My Search"

/services/search/jobs?search=label%3DMy%20Search*

Note that the value of the search parameter needs to be URL-encoded.

label=My Search* ==> label%3DMy%20Search*

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...