Getting Data In

Where can I find documentation on how to update a macro by using the API?

whiterd434
Explorer

I have successfully used the code below to create a macro (POST using 'requests' with Python). However, I have been unable to find any documentation that states this being possible. Based on the error messages I came across, "definition" is known as a "handler" within the Splunk API. I am trying to find any other "handlers" that I can target for updating macros. The main thing I would like to accomplish now is to change the permission level of a newly created macro to the app it is inside of (since it defaults to owner only).

payload = {'definition': 'query here'}
URL = 'root/servicesNS/username/app_name/admin/macros/macro_name'

Thank you for your time.
-Randall

Tags (2)
0 Karma

stephaniem_splu
Splunk Employee
Splunk Employee

Typically you can use handlers to update conf files (such as the services/data/transforms endpoint for transforms.conf), but macros are an exception. The Splunk REST API does not offer any dedicated handlers for macros.

You can use the /acl endpoint to change permissions (as you discovered), or you can use the /properties or /configs handlers to manipulate macros.conf files directly: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTconf

whiterd434
Explorer

I do know where the Splunk documentation is and have already made extensive use of it to get to this point.

0 Karma

whiterd434
Explorer

I found part of my answer. While I still cannot find specific documentation on creating/updating macros through the API, I found how to update the scope after the fact.

payload = {'owner': 'username', 'sharing': 'app'}
URL = 'root/servicesNS/username/app_name/admin/macros/macro_name/acl'

Access Control List Documentation

paulbannister
Communicator
0 Karma

whiterd434
Explorer

Thank you for the response, but the links provided do not provide any information on creating/updating a macro through use of the API. I should have been more specific. I have already searched everything I can think of. The closest I have been able to come is the documentation for "saved searches", but I have been unable to figure out how to modify the app scope of a given macro.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...