Getting Data In

Where can I find documentation on how to update a macro by using the API?

whiterd434
Explorer

I have successfully used the code below to create a macro (POST using 'requests' with Python). However, I have been unable to find any documentation that states this being possible. Based on the error messages I came across, "definition" is known as a "handler" within the Splunk API. I am trying to find any other "handlers" that I can target for updating macros. The main thing I would like to accomplish now is to change the permission level of a newly created macro to the app it is inside of (since it defaults to owner only).

payload = {'definition': 'query here'}
URL = 'root/servicesNS/username/app_name/admin/macros/macro_name'

Thank you for your time.
-Randall

Tags (2)
0 Karma

stephaniem_splu
Splunk Employee
Splunk Employee

Typically you can use handlers to update conf files (such as the services/data/transforms endpoint for transforms.conf), but macros are an exception. The Splunk REST API does not offer any dedicated handlers for macros.

You can use the /acl endpoint to change permissions (as you discovered), or you can use the /properties or /configs handlers to manipulate macros.conf files directly: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTconf

whiterd434
Explorer

I do know where the Splunk documentation is and have already made extensive use of it to get to this point.

0 Karma

whiterd434
Explorer

I found part of my answer. While I still cannot find specific documentation on creating/updating macros through the API, I found how to update the scope after the fact.

payload = {'owner': 'username', 'sharing': 'app'}
URL = 'root/servicesNS/username/app_name/admin/macros/macro_name/acl'

Access Control List Documentation

paulbannister
Communicator
0 Karma

whiterd434
Explorer

Thank you for the response, but the links provided do not provide any information on creating/updating a macro through use of the API. I should have been more specific. I have already searched everything I can think of. The closest I have been able to come is the documentation for "saved searches", but I have been unable to figure out how to modify the app scope of a given macro.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...