Getting Data In

REST endpoint for modifying $app/local/macros.conf

jpvlsmv
Path Finder

I'd like to have my app not clobber other people's index names, or to be able to reference an existing (but I don't know what index search)

I thought that I could, in my app's setup.xml, prompt the user for the desired index name.

But then, how do I get my saved search or view or dashboard to reference the value the user entered?

I created a macro in $app/etc/default/macros.conf, defining:

     [appindex]
     definition = index=foo

and in the app, I can define my searches referencing `appindex` therestofthequery and everything works fine.

I can get setup.xml to prompt for the desired index name, but I can't find the REST endpoint that will put the definition in $app/local/macros.conf

Is there another way to do this?

1 Solution

vcarbona
Path Finder

The link below will have the answer in the question.

With the Python SDK, you can access it even easier:

from splunklib.client import connect
...
service = connect(username="admin", password="changeme", host="myhost", app="search")
# To update a macro named "test" in the search app
service.post('properties/macros/test', definition="test123")

# To read a macro named "test" in the search app
print service.get('properties/macros/test/definition')["body"]

View solution in original post

acharlieh
Influencer

Looking at the urls that come back with Settings > (Knowledge) Advanced Search > Search macros. It looks like those are controlled through the /servicesNS/(usercontext)/(appcontext)/admin/macros endpoint and children endpoints. Wiring it up isn't something I've done yet, but this might help... check out |rest /servicesNS/-/-/admin/macros for example.

vcarbona
Path Finder

The link below will have the answer in the question.

With the Python SDK, you can access it even easier:

from splunklib.client import connect
...
service = connect(username="admin", password="changeme", host="myhost", app="search")
# To update a macro named "test" in the search app
service.post('properties/macros/test', definition="test123")

# To read a macro named "test" in the search app
print service.get('properties/macros/test/definition')["body"]
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...