https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522338#M9321 <P>Whoops. It was URL encoded but Splunk Answers converted it back out. Guess I should have stuck that URL into a code block.</P> Wed, 30 Sep 2020 18:19:41 GMT cwo1010 2020-09-30T18:19:41Z https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522286#M9316 <P>Hello,</P><P>I am trying to use Splunk's REST API in order to change portions of existing correlation searches created within Enterprise Security. For this test, I created a correlation search called chris_test. It has a description of "Test correlation search". I would like to modify its description to be "AAA". I try to do this as follows:</P><LI-CODE lang="markup">curl -k -u chris https://essplunk.company.com:8089/servicesNS/chris/SplunkEnterpriseSecuritySuite/saved/searches/Threat%20-%20chris_test%20-%20Rule -d description="EEE" &gt; chris_test.txt</LI-CODE><P>I also tried with:</P><P>-X POST -d description="EEE"</P><P>In both cases, it doesn't seem to make the update to the correlation search. Can someone help me to better understand what I am doing wrong? Long-term, I'd like to be able to use REST API to update the Next Steps of a notable Adaptive Response via something like:</P><P>-d&nbsp;action.notable.param.next_steps="DEMO"</P> Wed, 30 Sep 2020 18:19:05 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522286#M9316 cwo1010 2020-09-30T18:19:05Z https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522336#M9320 <P>Have you tried URL-encoding the search name?</P> Wed, 30 Sep 2020 18:16:21 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522336#M9320 richgalloway 2020-09-30T18:16:21Z https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522338#M9321 <P>Whoops. It was URL encoded but Splunk Answers converted it back out. Guess I should have stuck that URL into a code block.</P> Wed, 30 Sep 2020 18:19:41 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522338#M9321 cwo1010 2020-09-30T18:19:41Z https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522707#M9332 <P>Hi, could the issue be related to the Namespace? I see "chris" is specified in your curl, which would create/modify the object in $SPLUNK_HOME/etc/users/chris/&lt;app&gt;/local/savedsearches.conf, however the object you might be hoping to modify might exist in $SPLUNK_HOME/etc/apps/&lt;app&gt;/local/savedsearches.conf, so if you try replacing "chris" in your REST call with "nobody" - that may address the right object.</P><P>&nbsp;</P><P>Hope this helps.</P> Fri, 02 Oct 2020 16:22:07 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522707#M9332 jnussbaum_splun 2020-10-02T16:22:07Z https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522720#M9333 <P>Replacing the username with "nobody" correctly converted the REST API action from a "create new search" action into a "modify an existing search" action.</P> Fri, 02 Oct 2020 17:26:58 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/REST-API-to-Modify-ES-Correlation-Search/m-p/522720#M9333 cwo1010 2020-10-02T17:26:58Z