How to combine two rest services?

pkolhatk · ‎11-15-2022

Hi wonderful people.

I wanted to know if we can combine two services in splunk to get an output

| rest /services/authentication/users splunk_server=local
and

| rest /services/admin/SAML-groups splunk_server=local

how can I combine the above two to get the results in one query

richgalloway · ‎11-15-2022

It's not possible to create a single rest command that performs both actions. You can, however, use the append command to combine the results of both commands then use stats to group them.

| rest splunk_server=local /services/admin/SAML-groups
| fields title roles 
| rename title as group
| append [ | rest splunk_server=local /services/admin/SAML-user-role-map
  | fields title roles 
  | rename title as user ]
| stats values(*) as * by roles

---
If this reply helps you, Karma would be appreciated.

ahhloy · ‎10-05-2023

Hi everyone, I tried combining two REST command by using append. However it does not work.

The first rest command , I would need to get info on who is the Search Head captain, and the 2nd rest command I would need to get the bundle replication file size from the search head captain to display the bundle size. Hope some one can assist. Thank you.

| rest splunk_server=local /services/shcluster/captain/info
| fields Captain
| rename label as Captain
| append [ rest splunk_server=Captain /services/search/distributed/bundle-replication-files ]
| eval timestamp=strftime(timestamp,"%m/%d/%y %H:%M:%S")
| eval size=size/1024/1024/1024
| table filename timestamp size

PickleRick · ‎10-05-2023

Another thing - if you want to find which server is captain to dynamically decide to which server you should send the next rest call, you can't just say splunk_server=Captain. That would be looking for a server called Captain which you most probably don't have.

You need to use one of the two possible techniques here - map command or subsearch.

VatsalJagani · ‎10-05-2023

@ahhloy - The append command does not combine the results, it generates two different results and append. To combine it you need to use the stats command after append. See the last line in the answer from @richgalloway

ahhloy · ‎10-06-2023

@VatsalJagani thank you for the advise.. Not sure if the use of stats command is correct.

I would need the append output to show the search head captain, bundle size and file name.

How to combine two rest services?

rest API

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Join the Conversation

How to combine two rest services?

rest API

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub