- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Where is URL for a Knowledge Objects search within...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking to define globally all of the 'knowledge objects' within a search head. Where is the URL found within Settings? Or is there a different search that would provide the URL?
I want to implement the following search, but need the URL and have not found it as of yet.
| rest <URL goes here>
splunk_server=local count=0
| rename eai:* as *, acl.* as *
| eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y"))
| sort type | stats list(title) as title, list(type) as type, list(orphaned) as orphaned, list(sharing) as sharing, list(owner) as owner, list(updated) as updated by app
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ThatGuyPSH ,
Going by the REST API reference: https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTprolog#Using_the_REST_API_reference
I don't think there is a single REST endpoint hat meets your requirements. What you could do is to create some saved searches that write the different types of knowledge objects to a summary index then use that summary index to search the current list of KOs and also see how they have changed over time.
For example have a saved search that writes all event types to the index via use of this REST endpoint: https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTknowledge#saved.2Feventtypes
FYI - by default | rest <URI> goes to every server in the deployment so you will most likely want to do some sort of dedup with the results
Thanks,
Jamie
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jamie -
Thank you! That was very helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ThatGuyPSH ,
Going by the REST API reference: https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTprolog#Using_the_REST_API_reference
I don't think there is a single REST endpoint hat meets your requirements. What you could do is to create some saved searches that write the different types of knowledge objects to a summary index then use that summary index to search the current list of KOs and also see how they have changed over time.
For example have a saved search that writes all event types to the index via use of this REST endpoint: https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTknowledge#saved.2Feventtypes
FYI - by default | rest <URI> goes to every server in the deployment so you will most likely want to do some sort of dedup with the results
Thanks,
Jamie
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
