topic Re: REST API - "GET" SavedSearches gets confused? 🙄 in Splunk Enterprise

REST API - "GET" SavedSearches gets confused? 🙄

verbal_666 — Fri, 06 Dec 2024 07:21:18 GMT

Hello.
I'm getting trouble listing all my SavedSearches from a SHC, using a command line REST API get.

I'm asking Splunk to list all savedsearches of user "admin" in "MYAPP" app.

For some strange reason, i can't locate, list gets also some other apps 🙄🙄🙄

Here we are,

curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/admin/MYAPP/saved/searches?count=-1' | egrep 'name="app"' | sort -u

... and here what it came from,

<s:key name="app">MYAPP</s:key> <s:key name="app">MYAPP_backup</s:key> <s:key name="app">ANOTHER_APP</s:key> <s:key name="app">search</s:key>

I expect only "<s:key name="app">MYAPP</s:key>" entries, or not?
What's wrong??? 😏😏😏

Linux OS
SPLUNK ENTERPRISE 8.2.12
SHC 3 Nodes (all nodes reponses the same output)

Thanks.

Re: REST API - "GET" SavedSearches gets confused? 🙄

PaulPanther — Fri, 06 Dec 2024 08:10:37 GMT

The REST API gives you also globally shared searches back.

You could try:

1. filter out all searches with name="sharing">global<

2. filter for name="app">MYAPP<

3. use a different user to call the api

Re: REST API - "GET" SavedSearches gets confused? 🙄

PickleRick — Fri, 06 Dec 2024 09:16:42 GMT

Nope. You're mistaking two different things.

One is where the search is defined. Another is where it is visible.

By calling /servicesNS/admin/myapp you're getting a list of apps _visible_ in context of user admin and app myapp. It might as well be defined in another app and shared globally.

Re: REST API - "GET" SavedSearches gets confused? 🙄

verbal_666 — Fri, 06 Dec 2024 09:20:16 GMT

Ahhhhhhhhhhh, here we go!!! It takes also the "sharing=global" objects 🙄i understand.
Are there more parameters to filter directly from the GET? I can't read them in Documentation 🤷‍♀️
(also the "?count=x" is not documented 🤔)
Thanks.

Re: REST API - "GET" SavedSearches gets confused? 🙄

PickleRick — Fri, 06 Dec 2024 09:31:53 GMT

The count parameter seems to be a general parameter recognized by all (?) GET endpoints. It's indeed not explicitly documented although it's hinted here https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing

And I don't think you can filter in the REST call itself. You have to get all results and postprocess them yourself - the eai:appName should contain the name of the app the search is defined in.

(and I always use /servicesNS/-/-/ and just filter afterwards).

Re: REST API - "GET" SavedSearches gets confused? 🙄

verbal_666 — Fri, 06 Dec 2024 10:53:42 GMT

Just a beginning for shell... with script parameters (user and app in variables), i'm close enough to what i'm seeking 😀

Perhaps not perfect, yet... but close 😀

Thanks.

Re: REST API - "GET" SavedSearches gets confused? 🙄

PickleRick — Fri, 06 Dec 2024 11:01:57 GMT

One hint - while Splunk returns XML by default, it might be easier to use -d output_mode=json with your curl and use the json output - there are more easier available tools for manipulating json in shell than for XML.

So you can "easily" do something like this:

curl -k -u admin:pass https://splunksh:8089/servicesNS/-/-/saved/searches -d output_mode=json -d count=0 --get | jq '.entry | map(.) | .[] | {name: .name, app: .acl.app}'

or even

curl -k -u admin:pass https://splunksh:8089/servicesNS/-/-/saved/searches -d output_mode=json -d count=0 --get | jq '.entry | map(.) | .[] | .acl.app + ":" + .name'

(the jq tool is fairly easily available in modern distros while xmlint or similar stuff might not be).

Re: REST API - "GET" SavedSearches gets confused? 🙄

verbal_666 — Fri, 06 Dec 2024 11:18:43 GMT

Great 👏👏👍

Effectively XML is quite obsolete 😴

Thanks again 👍

Re: REST API - "GET" SavedSearches gets confused? 🙄

verbal_666 — Sat, 07 Dec 2024 03:42:24 GMT

Final version... obviously inside a script or an interactive menu with parameters should work fine 👍

curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/-/-/saved/searches' --get -d 'output_mode=json' -d 'count=0' | jq -r ' .entry[] | select(.acl.app == "MYAPP" and .acl.owner == "MYUSER") | .name + " : " + .acl.app + " : " + .author + " : " + .acl.owner + " : " + .acl.sharing + " : " + (.content.disabled|tostring) '

Alternative,

curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/-/-/saved/searches' --get -d 'output_mode=json' -d 'count=0' | jq -r ' .entry[] | select(.acl.app == "MYAPP" and .acl.owner == "MYUSER") | [.name,.acl.app,.author,.acl.owner,.acl.sharing,.content.disabled] | @csv '

Thanks all 👍