Splunk Enterprise Security

REST API to Modify ES Correlation Search

cwo1010
Explorer

Hello,

I am trying to use Splunk's REST API in order to change portions of existing correlation searches created within Enterprise Security. For this test, I created a correlation search called chris_test. It has a description of "Test correlation search". I would like to modify its description to be "AAA". I try to do this as follows:

curl -k -u chris https://essplunk.company.com:8089/servicesNS/chris/SplunkEnterpriseSecuritySuite/saved/searches/Threat%20-%20chris_test%20-%20Rule -d description="EEE" > chris_test.txt

I also tried with:

-X POST -d description="EEE"

In both cases, it doesn't seem to make the update to the correlation search. Can someone help me to better understand what I am doing wrong? Long-term, I'd like to be able to use REST API to update the Next Steps of a notable Adaptive Response via something like:

-d action.notable.param.next_steps="DEMO"

0 Karma
1 Solution

jnussbaum_splun
Splunk Employee
Splunk Employee

Hi, could the issue be related to the Namespace? I see "chris" is specified in your curl, which would create/modify the object in $SPLUNK_HOME/etc/users/chris/<app>/local/savedsearches.conf, however the object you might be hoping to modify might exist in $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf, so if you try replacing "chris" in your REST call with "nobody" - that may address the right object.

 

Hope this helps.

View solution in original post

jnussbaum_splun
Splunk Employee
Splunk Employee

Hi, could the issue be related to the Namespace? I see "chris" is specified in your curl, which would create/modify the object in $SPLUNK_HOME/etc/users/chris/<app>/local/savedsearches.conf, however the object you might be hoping to modify might exist in $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf, so if you try replacing "chris" in your REST call with "nobody" - that may address the right object.

 

Hope this helps.

cwo1010
Explorer

Replacing the username with "nobody" correctly converted the REST API action from a "create new search" action into a "modify an existing search" action.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried URL-encoding the search name?

---
If this reply helps you, Karma would be appreciated.
0 Karma

cwo1010
Explorer

Whoops. It was URL encoded but Splunk Answers converted it back out. Guess I should have stuck that URL into a code block.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...