I'd like to have my app not clobber other people's index names, or to be able to reference an existing (but I don't know what index search)
I thought that I could, in my app's setup.xml, prompt the user for the desired index name.
But then, how do I get my saved search or view or dashboard to reference the value the user entered?
I created a macro in $app/etc/default/macros.conf, defining:
[appindex] definition = index=foo
and in the app, I can define my searches referencing
`appindex` therestofthequery and everything works fine.
I can get setup.xml to prompt for the desired index name, but I can't find the REST endpoint that will put the definition in $app/local/macros.conf
Is there another way to do this?
The link below will have the answer in the question.
With the Python SDK, you can access it even easier:
from splunklib.client import connect ... service = connect(username="admin", password="changeme", host="myhost", app="search") # To update a macro named "test" in the search app service.post('properties/macros/test', definition="test123") # To read a macro named "test" in the search app print service.get('properties/macros/test/definition')["body"]
Looking at the urls that come back with Settings > (Knowledge) Advanced Search > Search macros. It looks like those are controlled through the /servicesNS/(usercontext)/(appcontext)/admin/macros endpoint and children endpoints. Wiring it up isn't something I've done yet, but this might help... check out
|rest /servicesNS/-/-/admin/macros for example.