topic Re: Splunk Rest API Response filtering in Splunk Enterprise

Splunk Rest API Response filtering

manish_navi — Fri, 26 Apr 2024 14:06:30 GMT

Hello ,

Using the below query i am able to get title and Definition of macros .

|rest /servicesNS/-/-/admin/macros |table title,definition

Can this same be achievable using https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json
postman call , that i will get only title and definition in response of an api call .

i tried using filter f, search as per the documentation but its not giving required response

Thanks In advance

Re: Splunk Rest API Response filtering

richgalloway — Fri, 26 Apr 2024 11:55:01 GMT

Please show exactly what you tried and tell how the results were not what was expected.

Re: Splunk Rest API Response filtering

deepakc — Fri, 26 Apr 2024 12:38:06 GMT

I dont know about the exact postman config for filtering, but via CLI you can test the below first and assuming you can use a Linux syste. .

For the API call its seems to be called name and not title as I have noticed, this is difference between | rest and calling the API. (dont know why this is...)

Further more If you install the jq command it’s a json processer command, it will help with the two fields you want, if not remove from my command below.

You will need a token created in Splunk.

See my example below

curl -k -H "Authorization: Bearer <YOUR TOKEN>" https://*****:8089/servicesNS/-/-/admin/macros --get -d output_mode=json | jq '.entry[] | {name: .name, definition: .content.definition}'

This should give you the results for the name of the macro and its defintion, optionally output to a json file

Re: Splunk Rest API Response filtering

manish_navi — Mon, 29 Apr 2024 13:13:44 GMT

@richgalloway

I was mentioning that by using below query : i can limit the result to show only title and definition

|rest /servicesNS/-/-/admin/macros |table title,definition

Would there be a way to do the same with rest API call for macro :
https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json

While using above api call with postman , i am getting all the fields of results but i am interested in getting the result limited to show only "title" and "Definition" .
Like below i am getting all fields , can i restrict the results to show only name and Definition of macro

{ "links": { "create": "/servicesNS/-/-/admin/macros/_new", "_reload": "/servicesNS/-/-/admin/macros/_reload", "_acl": "/servicesNS/-/-/admin/macros/_acl" }, "origin": "https://52.226.64.218:8089/servicesNS/-/-/admin/macros", "updated": "2024-04-29T13:11:40+00:00", "generator": { "build": "78803f08aabb", "version": "9.2.1" }, "entry": [ { "name": "3cx_supply_chain_attack_network_indicators_filter", "id": "https://52.226.64.218:8089/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "updated": "1970-01-01T00:00:00+00:00", "links": { "alternate": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "list": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "_reload": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/_reload", "edit": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "disable": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/disable" }, "author": "nobody", "acl": { "app": "DA-ESS-ContentUpdate", "can_change_perms": true, "can_list": true, "can_share_app": true, "can_share_global": true, "can_share_user": false, "can_write": true, "modifiable": true, "owner": "nobody", "perms": { "read": [ "*" ], "write": [ "admin" ] }, "removable": false, "sharing": "global" }, "content": { "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "disabled": false, "eai:acl": null, "eai:appName": "DA-ESS-ContentUpdate", "eai:userName": "nobody" } } ], "paging": { "total": 2195, "perPage": 30, "offset": 0 }, "messages": [] }

Re: Splunk Rest API Response filtering

richgalloway — Mon, 29 Apr 2024 14:15:04 GMT

You can filter the API response using the parameters described at https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog#Pagination_and_filtering_parameters

Try something like this:

https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json&f=title&f=description

Re: Splunk Rest API Response filtering

manish_navi — Wed, 08 May 2024 05:51:57 GMT

@richgalloway

I have already tried using this if you see my posted questions , there i have already mentioned that filters parameter f , is not working .

here is the screenshot if what i tried

Re: Splunk Rest API Response filtering

richgalloway — Wed, 08 May 2024 12:09:55 GMT

I believe you have to use the full name of the field ("entry.name", for example).

Re: Splunk Rest API Response filtering

isoutamo — Wed, 08 May 2024 13:44:44 GMT

it seems that when you are using output_mode=json those f=xyz didn't work. Instead of those you must use jq as @deepakc already propose.

curl -ksu $UP 'https://localhost:8089/servicesNS/-/-/admin/macros?count=4&output_mode=json' | jq '.entry[].name' "3cx_supply_chain_attack_network_indicators_filter" "7zip_commandline_to_smb_share_path_filter" "abnormally_high_aws_instances_launched_by_user___mltk_filter" "abnormally_high_aws_instances_launched_by_user_filter"

You could/should leave comment on doc page where output_mode has defined and add information that if you are using json mode then f=xyz doesn't work. Doc team is really helpful to update that kind of notes into real documentation.

r. Ismo

Re: Splunk Rest API Response filtering

manish_navi — Thu, 23 May 2024 09:21:59 GMT

@deepakc and @isoutamo , If this require installation of JQ , then it would not be possible , because if i want my customer to use the application , and prerequisite is to install the JQ widget , I simply cant force my customer.

Re: Splunk Rest API Response filtering

manish_navi — Thu, 23 May 2024 09:23:43 GMT

@richgalloway would be helpful , if you can give screenshot of working solution , as i have tried this as well and no luck

Re: Splunk Rest API Response filtering

deepakc — Thu, 23 May 2024 09:26:02 GMT

The jq was a suggestion, and an optional command to help with filtering, if they can't use it, then they have to find an alternative method.