Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine two rest services?

pkolhatk
Explorer
‎11-15-2022 05:01 PM

Hi wonderful people.

I wanted to know if we can combine two services in splunk to get an output 

| rest /services/authentication/users splunk_server=local 
and   

| rest /services/admin/SAML-groups splunk_server=local 

 how can I combine the above two to get the results in one query 

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2022 05:38 PM

It's not possible to create a single rest command that performs both actions.  You can, however, use the append command to combine the results of both commands then use stats to group them.

| rest splunk_server=local /services/admin/SAML-groups
| fields title roles 
| rename title as group
| append [ | rest splunk_server=local /services/admin/SAML-user-role-map
  | fields title roles 
  | rename title as user ]
| stats values(*) as * by roles
---
If this reply helps you, Karma would be appreciated.
Reply

ahhloy
New Member
‎10-05-2023 08:06 PM

Hi everyone, I tried combining two REST command by using append. However it does not work.

The first rest command , I would need to get info on who is the Search Head captain, and the 2nd rest command I would need to get the bundle replication file size from the search head captain to display the bundle size. Hope some one can assist. Thank you. 

 

| rest splunk_server=local /services/shcluster/captain/info
| fields Captain
| rename label as Captain
| append [ rest splunk_server=Captain /services/search/distributed/bundle-replication-files ]
| eval timestamp=strftime(timestamp,"%m/%d/%y %H:%M:%S")
| eval size=size/1024/1024/1024
| table filename timestamp size

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-05-2023 11:11 PM

Another thing - if you want to find which server is captain to dynamically decide to which server you should send the next rest call, you can't just say splunk_server=Captain. That would be looking for a server called Captain which you most probably don't have.

You need to use one of the two possible techniques here - map command or subsearch.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎10-05-2023 10:28 PM

@ahhloy - The append command does not combine the results, it generates two different results and append. To combine it you need to use the stats command after append. See the last line in the answer from @richgalloway 

0 Karma
Reply

ahhloy
New Member
‎10-06-2023 01:23 AM

@VatsalJagani thank you for the advise.. Not sure if the use of stats command is correct.

I would need the append output to show the search head captain, bundle size and file name. 

| rest /services/shcluster/status splunk_server=local
| fields captain.label
| append [ | rest splunk_server=local /services/search/distributed/bundle-replication-files
| fields captain.label size filename
| eval timestamp=strftime(timestamp,"%m/%d/%y %H:%M:%S")
| eval size=size/1024/1024/1024
| table filename timestamp size ]
| rest /services/shcluster/status splunk_server=local
| fields captain.label
| append [ | rest splunk_server=local /services/search/distributed/bundle-replication-files
| fields captain.label size filename
| eval timestamp=strftime(timestamp,"%m/%d/%y %H:%M:%S")
| eval size=size/1024/1024/1024
| table filename timestamp size ]
| stats latest(_time) as latest_time by captain.label size filename | convert ctime(latest_time)

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...