We follow the example from this page (http://docs.splunk.com/Documentation/ES/4.7.2/API/ThreatIntelligenceAPIreference) to run a curl command:
curl -k -u admin:pass https://localhost:8089/services/data/threat_intel/item/ip_intel -d item='{"ip":one_ip_address}' -G -X GET
where one_ip_address is one from the ip_intel collection
Splunk ES returns error:
{"status": false, "message": "Found an invalid record in item list. Each record must have _key field."}
We follow the search example in the same page and run from the search page
| inputlookup ip_intel | search ip=one_ip_address | eval item_key=_key
And it works. Here one_ip_address is the same ip as the command above. We can also use Splunk SDK to execute the above search and get the correct result.
Did we do something wrong with the curl command?
Thanks!
Can you try the curl like this:
curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/ip_intel/fireeye:stix-b7b16e67-4292-46a3-ba64...
Can you try the curl like this:
curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/ip_intel/fireeye:stix-b7b16e67-4292-46a3-ba64...
This one works fine.
Thanks,
If the answer suits your needs, accept or upvote please.
Unfortunately this is not what we need. We want to query whether an IP address is in the ip_intel collection. This curl command returns the item with the key. We want the item that match a given ip address.
Thanks.
Found this one:
https://answers.splunk.com/answers/555780/splunk-enterprise-security-where-do-i-specify-key.html
Seems to be a bug in 4.7.2, which is the one I am using now.
The alternative way is to use the Splunk SDK to run a search:
search | inputlookup ip_intel | search ip="58.64.179.144" | eval item_key = _key
This will give you the key:
fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d
Then you can use the url given by tiagofbmm to fetch information or to delete.
Hey
I just tried your example curl and this one doesn't work but
curl -k -u admin:pass https://localhost:8094/services/data/threat_intel/item/ip_intel -d item='{"ip":58.64.179.144}' -G -X GET
But the second one, with the ip between double quotes work.
curl -k -u admin:pass https://localhost:8094/services/data/threat_intel/item/ip_intel -d item='{"ip":"58.64.179.144"}' -G -X GET
Can you try it please?
Thanks for your reply.
Sorry about my typo. I actually tried with double quotes.
curl -k -u admin:pass https://localhost:8089/services/data/threat_intel/item/ip_intel -d item='{"ip":"58.64.179.144"}' -G -X GET
Just verified again, and still get the same error:
{"message": "Found an invalid record in item list. Each record must have _key field.", "status": false}
I am using Splunk Enterprise 6.6.1 and Splunk ES 4.7.2.
Thanks.
Just one more information. We did not add any ip_intel to the collections. Those ip_intel must be the same as the initial installation of Splunk ES.
Also a search from the search page of Splunk ES works fine. This should not be caused by a collapsed ip_intel collection.