Hiya, I'm trying to use the Splunk REST API to update macros that I've recently had to move to live under a different app that isn't the default `search` app.
Before when the macro lived in the `search` app I was able to make a POST request to
/servicesNS/<account>/search/admin/macros/<macroName>
And this worked:
elif search_or_macro == 'macros':
url = '<ROOT>/servicesNS/<ACCOUNT>/search/admin/macros/{}'.format(macro_name)
res = requests.post(url, headers=headers, data={'definition': r'{}'.format(macro_definition)})
However once I moved the macros to live under a new app, let's call it `my_new_app`, POST requests no longer work to update the macro. This is what I have currently:
elif search_or_macro == 'macros':
url = '<ROOT>/servicesNS/nobody/my_new_app/admin/macros/{}'.format(macro_name)
res = requests.post(url, headers=headers, data={'definition': r'{}'.format(macro_definition)})
I have tried replacing `nobody` with:
However neither of these work.
I used the following splunk command to verify that the endpoint does seem to exist:
| rest /servicesNS/<ACCOUNT>/my_new_app/admin/macros/<MACRO NAME>
| search author=<ACCOUNT>
And when I run that I get the following `id`:
https://127.0.0.1:8089/servicesNS/nobody/my_new_app/admin/macros/<MACRO NAME>
I have also read through the REST API documentation here:
However none of these explicitly describe how to update macros, and all I can seem to find when googling are old posts from 2015-2019 that weren't applicable to what I am trying to achieve
Any help here would greatly be appreciated, I feel like I'm missing something simple but can't find further documentation that applies to macros
Check some of the app permissions settings using the below, this may help troubleshoot - it sounds like a permissions issue.
| rest splunk_server=local servicesNS/nobody/search/configs/conf-macros
| search eai:acl.app=my_new_app