Reverse engineering this stuff from the logs and existing usage in SplunkWeb's python code, I see a lot of things use the big flat 'admin/foo' paths to get/set data in EAI. However I also know vaguely from overhearing conversations at Splunk that this big flat list of 'admin/foo' endpoints is considered less than ideal and I thought I overheard that for each of them there is a more fundamental endpoint that we're all supposed to use.
And another data point is that I know that I can usually go to
https://localhost:8089/servicesNS/admin/<app_name>/data
, click past the stern security warnings from firefox, and there I should be able to drive to the stuff I want.
Then once I've found it, its easy to determine the proper EAI path by just looking at the browser URL.
The problem is that I cant find the 'proper' path for macros, and i cant find any path at all for extractions that are defined in props.conf
eg:
1) if I want to get a macro using the splunk.entity class in python, the only path I know is 'admin/macros', as in
splunk.entity.getEntity("admin/macros", "my_macro_name", namespace="my_app_name", owner="splunk.auth.getCurrentUser()['name'])
2) And I have an extracted field that is defined in my app and I cannot find a way to get this at all from EAI. (Maybe it would be there if I had defined it over in transforms and merely referred to it from props? )
Thanks in advance for any and all help.
Yea, for macros i can only find the admin/macros path, and i always thought those admin ones were hacks and not to be used. And for props I cant find anything. URLs in splunkd_access for the macros list page in manager is /servicesNS/admin/