Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where can I find documentation on how to update a macro by using the API?

whiterd434
Explorer
‎09-20-2018 01:00 PM

I have successfully used the code below to create a macro (POST using 'requests' with Python). However, I have been unable to find any documentation that states this being possible. Based on the error messages I came across, "definition" is known as a "handler" within the Splunk API. I am trying to find any other "handlers" that I can target for updating macros. The main thing I would like to accomplish now is to change the permission level of a newly created macro to the app it is inside of (since it defaults to owner only).

payload = {'definition': 'query here'}
URL = 'root/servicesNS/username/app_name/admin/macros/macro_name'

Thank you for your time.
-Randall

Tags (2)
0 Karma
Reply

stephaniem_splu
Splunk Employee
Splunk Employee
‎10-23-2018 01:29 PM

Typically you can use handlers to update conf files (such as the services/data/transforms endpoint for transforms.conf), but macros are an exception. The Splunk REST API does not offer any dedicated handlers for macros.

You can use the /acl endpoint to change permissions (as you discovered), or you can use the /properties or /configs handlers to manipulate macros.conf files directly: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTconf

Reply

whiterd434
Explorer
‎09-21-2018 06:12 AM

I do know where the Splunk documentation is and have already made extensive use of it to get to this point.

0 Karma
Reply

whiterd434
Explorer
‎09-21-2018 07:15 AM

I found part of my answer. While I still cannot find specific documentation on creating/updating macros through the API, I found how to update the scope after the fact.

payload = {'owner': 'username', 'sharing': 'app'}
URL = 'root/servicesNS/username/app_name/admin/macros/macro_name/acl'

Access Control List Documentation

Reply

paulbannister
Communicator
‎09-21-2018 03:32 AM

Hi There,

Would the below documentation be of use to you:

http://dev.splunk.com/restapi
http://docs.splunk.com/Documentation/Splunk/7.1.3/RESTTUT/RESTbasicexamples

0 Karma
Reply

whiterd434
Explorer
‎09-21-2018 06:11 AM

Thank you for the response, but the links provided do not provide any information on creating/updating a macro through use of the API. I should have been more specific. I have already searched everything I can think of. The closest I have been able to come is the documentation for "saved searches", but I have been unable to figure out how to modify the app scope of a given macro.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...