Getting Data In

How do use the Splunk REST API to update macros that live under a different app?

starbuck
New Member

Hiya, I'm trying to use the Splunk REST API to update macros that I've recently had to move to live under a different app that isn't the default `search` app.

Before when the macro lived in the `search` app I was able to make a POST request to 

 

/servicesNS/<account>/search/admin/macros/<macroName>

 

And this worked:

 

elif search_or_macro == 'macros':
    url = '<ROOT>/servicesNS/<ACCOUNT>/search/admin/macros/{}'.format(macro_name)
    res = requests.post(url, headers=headers, data={'definition': r'{}'.format(macro_definition)})

 


However once I moved the macros to live under a new app, let's call it `my_new_app`, POST requests no longer work to update the macro. This is what I have currently:

 

elif search_or_macro == 'macros':
  url = '<ROOT>/servicesNS/nobody/my_new_app/admin/macros/{}'.format(macro_name)
  res = requests.post(url, headers=headers, data={'definition': r'{}'.format(macro_definition)})

 

I have tried replacing `nobody` with:

  • admin
  • the account that owns the macro

However neither of these work.

I used the following splunk command to verify that the endpoint does seem to exist:

 

| rest /servicesNS/<ACCOUNT>/my_new_app/admin/macros/<MACRO NAME>
| search author=<ACCOUNT>

 

And when I run that I get the following `id`:

 

https://127.0.0.1:8089/servicesNS/nobody/my_new_app/admin/macros/<MACRO NAME>

 

 
I have also read through the REST API documentation here:

However none of these explicitly describe how to update macros, and all I can seem to find when googling are old posts from 2015-2019 that weren't applicable to what I am trying to achieve

Any help here would greatly be appreciated, I feel like I'm missing something simple but can't find further documentation that applies to macros

Labels (1)
0 Karma

deepakc
Builder

Check some of the app permissions settings using the below, this may help troubleshoot - it sounds like a permissions issue.

 

| rest splunk_server=local servicesNS/nobody/search/configs/conf-macros
| search eai:acl.app=my_new_app
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...