https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364573#M66405 <P>Unfortunately this is not what we need. We want to query whether an IP address is in the ip_intel collection. This curl command returns the item with the key. We want the item that match a given ip address.</P> <P>Thanks.</P> Wed, 21 Mar 2018 18:30:03 GMT ibmresilient 2018-03-21T18:30:03Z https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364566#M66398 <P>We follow the example from this page (<A href="http://docs.splunk.com/Documentation/ES/4.7.2/API/ThreatIntelligenceAPIreference" target="_blank">http://docs.splunk.com/Documentation/ES/4.7.2/API/ThreatIntelligenceAPIreference</A>) to run a curl command:</P> <P>curl -k -u admin:pass <A href="https://localhost:8089/services/data/threat_intel/item/ip_intel" target="_blank">https://localhost:8089/services/data/threat_intel/item/ip_intel</A> -d item='{"ip":one_ip_address}' -G -X GET<BR /> where one_ip_address is one from the ip_intel collection</P> <P>Splunk ES returns error:<BR /> {"status": false, "message": "Found an invalid record in item list. Each record must have _key field."}</P> <P>We follow the search example in the same page and run from the search page<BR /> | inputlookup ip_intel | search ip=one_ip_address | eval item_key=_key<BR /> And it works. Here one_ip_address is the same ip as the command above. We can also use Splunk SDK to execute the above search and get the correct result.</P> <P>Did we do something wrong with the curl command?</P> <P>Thanks!</P> Tue, 29 Sep 2020 18:34:23 GMT https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364566#M66398 ibmresilient 2020-09-29T18:34:23Z https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364567#M66399 <P>Hey</P> <P>I just tried your example curl and this one doesn't work but</P> <PRE><CODE>curl -k -u admin:pass <A href="https://localhost:8094/services/data/threat_intel/item/ip_intel" target="test_blank">https://localhost:8094/services/data/threat_intel/item/ip_intel</A> -d item='{"ip":58.64.179.144}' -G -X GET </CODE></PRE> <P>But the second one, with the ip between double quotes work.</P> <PRE><CODE>curl -k -u admin:pass <A href="https://localhost:8094/services/data/threat_intel/item/ip_intel" target="test_blank">https://localhost:8094/services/data/threat_intel/item/ip_intel</A> -d item='{"ip":"58.64.179.144"}' -G -X GET </CODE></PRE> <P>Can you try it please?</P> Tue, 20 Mar 2018 07:32:37 GMT https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364567#M66399 tiagofbmm 2018-03-20T07:32:37Z https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364568#M66400 <P>Thanks for your reply. <BR /> Sorry about my typo. I actually tried with double quotes. </P> <P>curl -k -u admin:pass <A href="https://localhost:8089/services/data/threat_intel/item/ip_intel">https://localhost:8089/services/data/threat_intel/item/ip_intel</A> -d item='{"ip":"58.64.179.144"}' -G -X GET</P> <P>Just verified again, and still get the same error:<BR /> {"message": "Found an invalid record in item list. Each record must have _key field.", "status": false}</P> <P>I am using Splunk Enterprise 6.6.1 and Splunk ES 4.7.2.</P> <P>Thanks.</P> Tue, 20 Mar 2018 15:29:09 GMT https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364568#M66400 ibmresilient 2018-03-20T15:29:09Z https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364569#M66401 <P>Just one more information. We did not add any ip_intel to the collections. Those ip_intel must be the same as the initial installation of Splunk ES. </P> <P>Also a search from the search page of Splunk ES works fine. This should not be caused by a collapsed ip_intel collection. </P> Tue, 29 Sep 2020 18:36:18 GMT https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364569#M66401 ibmresilient 2020-09-29T18:36:18Z https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364570#M66402 <P>Can you try the curl like this:</P> <P><A href="http://docs.splunk.com/Documentation/ES/5.0.0/API/ThreatIntelligenceAPIreference#.2Fservices.2Fdata.2Fthreat_intel.2Fitem.2F.7Bthreat_intel_collection.7D.2F.7Bitem_key.7D">http://docs.splunk.com/Documentation/ES/5.0.0/API/ThreatIntelligenceAPIreference#.2Fservices.2Fdata.2Fthreat_intel.2Fitem.2F.7Bthreat_intel_collection.7D.2F.7Bitem_key.7D</A></P> <PRE><CODE>curl -k -u admin:changeme <A href="https://localhost:8089/services/data/threat_intel/item/ip_intel/fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d" target="test_blank">https://localhost:8089/services/data/threat_intel/item/ip_intel/fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d</A> </CODE></PRE> Tue, 20 Mar 2018 15:47:00 GMT https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364570#M66402 tiagofbmm 2018-03-20T15:47:00Z https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364571#M66403 <P>This one works fine.</P> <P>Thanks,</P> Wed, 21 Mar 2018 17:58:33 GMT https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364571#M66403 ibmresilient 2018-03-21T17:58:33Z https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364572#M66404 <P>If the answer suits your needs, accept or upvote please.</P> Wed, 21 Mar 2018 18:00:37 GMT https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364572#M66404 tiagofbmm 2018-03-21T18:00:37Z https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364573#M66405 <P>Unfortunately this is not what we need. We want to query whether an IP address is in the ip_intel collection. This curl command returns the item with the key. We want the item that match a given ip address.</P> <P>Thanks.</P> Wed, 21 Mar 2018 18:30:03 GMT https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364573#M66405 ibmresilient 2018-03-21T18:30:03Z https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364574#M66406 <P>Found this one:<BR /> <A href="https://answers.splunk.com/answers/555780/splunk-enterprise-security-where-do-i-specify-key.html" target="_blank">https://answers.splunk.com/answers/555780/splunk-enterprise-security-where-do-i-specify-key.html</A><BR /> Seems to be a bug in 4.7.2, which is the one I am using now.</P> <P>The alternative way is to use the Splunk SDK to run a search:<BR /> search | inputlookup ip_intel | search ip="58.64.179.144" | eval item_key = _key<BR /> This will give you the key:<BR /> fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d</P> <P>Then you can use the url given by tiagofbmm to fetch information or to delete.</P> Tue, 29 Sep 2020 18:37:10 GMT https://community.splunk.com/t5/Getting-Data-In/Use-curl-to-get-ip-intel-information-from-Splunk-ES/m-p/364574#M66406 ibmresilient 2020-09-29T18:37:10Z