Deployment Architecture

Where is URL for a Knowledge Objects search within settings?

ThatGuyPSH
Explorer

I am looking to define globally all of the 'knowledge objects' within a search head. Where is the URL found within Settings? Or is there a different search that would provide the URL?

I want to implement the following search, but need the URL and have not found it as of yet.

| rest <URL goes here> 
splunk_server=local count=0
| rename eai:* as *, acl.* as *
| eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y"))
| sort type | stats list(title) as title, list(type) as type, list(orphaned) as orphaned, list(sharing) as sharing, list(owner) as owner, list(updated) as updated by app

 

Labels (1)
0 Karma
1 Solution

jamie00171
Communicator

Hi @ThatGuyPSH ,

 

Going by the REST API reference: https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTprolog#Using_the_REST_API_reference

I don't think there is a single REST endpoint hat meets your requirements. What you could do is to create some saved searches that write the different types of knowledge objects to a summary index then use that summary index to search the current list of KOs and also see how they have changed over time. 

For example have a saved search that writes all event types to the index via use of this REST endpoint: https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTknowledge#saved.2Feventtypes

FYI - by default | rest <URI> goes to every server in the deployment so you will most likely want to do some sort of dedup with the results 

Thanks,

Jamie

View solution in original post

ThatGuyPSH
Explorer

Jamie - 

Thank you! That was very helpful.

0 Karma

jamie00171
Communicator

Hi @ThatGuyPSH ,

 

Going by the REST API reference: https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTprolog#Using_the_REST_API_reference

I don't think there is a single REST endpoint hat meets your requirements. What you could do is to create some saved searches that write the different types of knowledge objects to a summary index then use that summary index to search the current list of KOs and also see how they have changed over time. 

For example have a saved search that writes all event types to the index via use of this REST endpoint: https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTknowledge#saved.2Feventtypes

FYI - by default | rest <URI> goes to every server in the deployment so you will most likely want to do some sort of dedup with the results 

Thanks,

Jamie

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...