The Splunk REST API • Room 3

Search Jobs via REST

Creating a search job via the REST API is a two-step asynchronous process: POST the search to `/services/search/jobs` to create the job, then poll the job's status until `isDone=true`.

Results are retrieved from `/services/search/jobs/{sid}/results` in JSON or XML format. The `sid` (Search ID) is returned in the initial POST response.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Use SPL to list all currently running search jobs on the system: `| rest /services/search/jobs`.

Splunk Search Bar