Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where can I find documentation on how to update a macro by using the API?

whiterd434
Explorer
‎09-20-2018 01:00 PM

I have successfully used the code below to create a macro (POST using 'requests' with Python). However, I have been unable to find any documentation that states this being possible. Based on the error messages I came across, "definition" is known as a "handler" within the Splunk API. I am trying to find any other "handlers" that I can target for updating macros. The main thing I would like to accomplish now is to change the permission level of a newly created macro to the app it is inside of (since it defaults to owner only).

payload = {'definition': 'query here'}
URL = 'root/servicesNS/username/app_name/admin/macros/macro_name'

Thank you for your time.
-Randall

Tags (2)
0 Karma
Reply

stephaniem_splu
Splunk Employee
Splunk Employee
‎10-23-2018 01:29 PM

Typically you can use handlers to update conf files (such as the services/data/transforms endpoint for transforms.conf), but macros are an exception. The Splunk REST API does not offer any dedicated handlers for macros.

You can use the /acl endpoint to change permissions (as you discovered), or you can use the /properties or /configs handlers to manipulate macros.conf files directly: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTconf

Reply

whiterd434
Explorer
‎09-21-2018 06:12 AM

I do know where the Splunk documentation is and have already made extensive use of it to get to this point.

0 Karma
Reply

whiterd434
Explorer
‎09-21-2018 07:15 AM

I found part of my answer. While I still cannot find specific documentation on creating/updating macros through the API, I found how to update the scope after the fact.

payload = {'owner': 'username', 'sharing': 'app'}
URL = 'root/servicesNS/username/app_name/admin/macros/macro_name/acl'

Access Control List Documentation

Reply

paulbannister
Communicator
‎09-21-2018 03:32 AM

Hi There,

Would the below documentation be of use to you:

http://dev.splunk.com/restapi
http://docs.splunk.com/Documentation/Splunk/7.1.3/RESTTUT/RESTbasicexamples

0 Karma
Reply

whiterd434
Explorer
‎09-21-2018 06:11 AM

Thank you for the response, but the links provided do not provide any information on creating/updating a macro through use of the API. I should have been more specific. I have already searched everything I can think of. The closest I have been able to come is the documentation for "saved searches", but I have been unable to figure out how to modify the app scope of a given macro.

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
Top