- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- REST endpoint for modifying $app/local/macros.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd like to have my app not clobber other people's index names, or to be able to reference an existing (but I don't know what index search)
I thought that I could, in my app's setup.xml, prompt the user for the desired index name.
But then, how do I get my saved search or view or dashboard to reference the value the user entered?
I created a macro in $app/etc/default/macros.conf, defining:
[appindex]
definition = index=foo
and in the app, I can define my searches referencing `appindex` therestofthequery and everything works fine.
I can get setup.xml to prompt for the desired index name, but I can't find the REST endpoint that will put the definition in $app/local/macros.conf
Is there another way to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The link below will have the answer in the question.
With the Python SDK, you can access it even easier:
from splunklib.client import connect
...
service = connect(username="admin", password="changeme", host="myhost", app="search")
# To update a macro named "test" in the search app
service.post('properties/macros/test', definition="test123")
# To read a macro named "test" in the search app
print service.get('properties/macros/test/definition')["body"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking at the urls that come back with Settings > (Knowledge) Advanced Search > Search macros. It looks like those are controlled through the /servicesNS/(usercontext)/(appcontext)/admin/macros endpoint and children endpoints. Wiring it up isn't something I've done yet, but this might help... check out |rest /servicesNS/-/-/admin/macros for example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The link below will have the answer in the question.
With the Python SDK, you can access it even easier:
from splunklib.client import connect
...
service = connect(username="admin", password="changeme", host="myhost", app="search")
# To update a macro named "test" in the search app
service.post('properties/macros/test', definition="test123")
# To read a macro named "test" in the search app
print service.get('properties/macros/test/definition')["body"]
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
