Saved Endpoint
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Saved Endpoint
The /services/saved/ endpoint provides REST API access to saved searches.
Searches
The /services/saved/searches endpoint provides saved search services.
GET
Returns a list of all the saved searches on the server that are visible to the current user.
| Query | Arguments |
| offset | The starting index of saved searches to return, positioned after sorting. The default is 0. |
| count | The maximum number of saved search results to return, starting from offset. 0 will return all. Default is 0. |
| sort_by | [ name | running | nextrun ] The field on which to sort results. Default is name. |
| sort_dir | [ asc | desc ] The sort direction. Default is asc. |
| sort_mode | [ alpha | numeric ] The sort comparator method. Default is alpha. |
Response
| Response | Status |
| 200 | Method executed successfully. |
Response Body
// sample response to /services/saved/searches
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>Saved Searches</title>
<id>https://localhost:8089/services/saved/searches</id>
<updated>2008-01-11T14:02:00-0800</updated>
<generator version="30887"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>Daily indexing volume by server</title>
<id>https://localhost:8089/services/saved/searches/Daily%20indexing%20volume%20by%20server</id>
<published>2008-01-11T14:02:00-0800</published>
<updated>2008-01-11T14:02:00-0800</updated>
<link href="https://localhost:8089/services/saved/searches/Daily%20indexing%20volume%20by%20server" rel="alternate"/>
<link href="https://localhost:8089/services/saved/searches/Daily%20indexing%20volume%20by%20server/history" rel="history"/>
<link href="https://localhost:8089/services/saved/searches/Daily%20indexing%20volume%20by%20server/triggers" rel="triggers"/>
<author>
<name>admin</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="isRunning">1</s:key>
<s:key name="shareWith">everybody</s:key>
<s:key name="nextRunTime">2008-01-11T19:24:00-0800</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>Errors in the last 24 hours</title>
<id>https://localhost:8089/services/saved/searches/Errors%20in%20the%20last%2024%20hours</id>
<published>2008-01-11T14:02:00-0800</published>
<updated>2008-01-11T14:02:00-0800</updated>
<link href="https://localhost:8089/services/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="alternate"/>
<link href="https://localhost:8089/services/saved/searches/Errors%20in%20the%20last%2024%20hours/history" rel="history"/>
<link href="https://localhost:8089/services/saved/searches/Errors%20in%20the%20last%2024%20hours/triggers" rel="triggers"/>
<author>
<name>admin</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="isRunning">1</s:key>
<s:key name="shareWith">everybody</s:key>
<s:key name="nextRunTime">2008-01-11T19:24:00-0800</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Adds a new saved search.
| Form | Arguments |
| search | The search to save. |
| name | The name of the Saved Search. |
| is_global | [1|0] Indicates whether or not the saved search is shared. Default is 0 (no). |
| is_scheduled | Does the saved search run on the saved schedule. |
| cron_schedule | The cron formatted schedule of the saved search. Required for Alerts. |
| alert_type | The thing to count a quantity of in relation to relation. Required for Alerts. |
| alert_threshold | The quantity of counttype must exceed in relation to relation. Required for Alerts. |
| alert_comparator | The relation the count type has to the quantity. Required for Alerts. |
| actions | A list of the actions to fire on alert; supported values are {email | rss}. |
| action.<action_type>.<custom_key> | A key/value pair that is specific to the action_type. For example, if actions contains email, then the following keys would be necessary. |
For example, actions = rss,email would enable both RSS feed and email sending. Or if you want to just fire a script: actions = script
action.email.to = foo@splunk.com
action.email.sender = splunkbot
Or for scripts:
action.script.filename = doodle.py
Response
| Response | Status |
| 201 | Saved search was successfully created; will be followed by the header Location: /services/saved/searches/[saved_search_name]. |
| 400 | One or more of the arguments were invalid/missing; search was not saved. |
| 409 | The saved search name already exists. |
Response Body
// sample response to a successful save
<response>
<messages>
<msg type="INFO">Saved search 'foo' was created</msg>
</messages>
</response>
// sample response to an unsuccessful save
<response>
<messages>
<msg type="ERROR">Saved search 'foo' already exists</msg>
</messages>
</response>
$SAVED_SEARCH_NAME
The /services/saved/searches/saved_search_name endpoint represents a specific saved search.
GET
Returns all the properties of a saved search.
Response
| Response | Status |
| 200 | OK. |
| 404 | Saved search was not found. |
Response Body
// sample response to /services/saved/searches
<?xml version="1.0" encoding="UTF-8"?>
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>Daily indexing volume by server</title>
<id>https://localhost:8089/services/saved/searches/Daily%20indexing%20volume%20by%20server</id>
<published>2008-01-11T14:02:00-0800</published>
<updated>2008-01-11T14:02:00-0800</updated>
<link href="https://localhost:8089/services/saved/searches/Daily%20indexing%20volume%20by%20server/history" rel="history"/>
<link href="https://localhost:8089/services/saved/searches/Daily%20indexing%20volume%20by%20server/triggers" rel="triggers"/>
<author>
<name>admin</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="isRunning">1</s:key>
<s:key name="shareWith">everybody</s:key>
<s:key name="nextRunTime">2008-01-11T19:24:00-0800</s:key>
...
</s:dict>
</content>
</entry>
POST
Edit a saved search.
| Form | Arguments |
| search | The search to save. |
| name | The name of the Saved Search. |
| is_global | [1|0] Indicates whether or not the saved search is shared. Default is 0 (no). |
| is_scheduled | Does the saved search run on the saved schedule. |
| cron_schedule | The cron formatted schedule of the saved search. Required for Alerts. |
| alert_type | The thing to count a quantity of in relation to relation. Required for Alerts. |
| alert_threshold | The quantity of counttype must exceed in relation to relation. Required for Alerts. |
| alert_comparator | The relation the count type has to the quantity. Required for Alerts. |
| actions | A list of the actions to fire on alert; supported values are {email | rss}. |
| action.<action_type>.<custom_key> | A key/value pair that is specific to the action_type. For example, if actions contains email, then the following keys would be necessary. |
Response
| Response | Status |
| 200 | Saved search was successfully updated. |
| 201 | Saved search was successfully renamed; will be followed by the header Location: /services/saved/searches/[saved_search_name]. |
| 400 | One or more of the arguments were invalid/missing; search was not saved. |
| 409 | The new saved search name already exists; edits were not committed. |
Response Body
// sample response to a successful save
<response>
<messages>
<msg type="INFO">Saved search 'foo' was created</msg>
</messages>
</response>
// sample response to an unsuccessful save
<response>
<messages>
<msg type="ERROR">Saved search 'foo' already exists</msg>
</messages>
</response>
DELETE
Deletes the specified saved search.
Response
| Response | Status |
| 200 | Saved search was deleted. |
| 404 | Saved search was not found; nothing deleted. |
Response Body
// sample response to a successful delete
<response>
<messages>
<msg type="INFO">Saved search 'foo' was deleted</msg>
</messages>
</response>
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.