Splunk Enterprise Security

REST API to Modify ES Correlation Search

cwo1010
Explorer

Hello,

I am trying to use Splunk's REST API in order to change portions of existing correlation searches created within Enterprise Security. For this test, I created a correlation search called chris_test. It has a description of "Test correlation search". I would like to modify its description to be "AAA". I try to do this as follows:

curl -k -u chris https://essplunk.company.com:8089/servicesNS/chris/SplunkEnterpriseSecuritySuite/saved/searches/Threat%20-%20chris_test%20-%20Rule -d description="EEE" > chris_test.txt

I also tried with:

-X POST -d description="EEE"

In both cases, it doesn't seem to make the update to the correlation search. Can someone help me to better understand what I am doing wrong? Long-term, I'd like to be able to use REST API to update the Next Steps of a notable Adaptive Response via something like:

-d action.notable.param.next_steps="DEMO"

0 Karma
1 Solution

jnussbaum_splun
Splunk Employee
Splunk Employee

Hi, could the issue be related to the Namespace? I see "chris" is specified in your curl, which would create/modify the object in $SPLUNK_HOME/etc/users/chris/<app>/local/savedsearches.conf, however the object you might be hoping to modify might exist in $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf, so if you try replacing "chris" in your REST call with "nobody" - that may address the right object.

 

Hope this helps.

View solution in original post

jnussbaum_splun
Splunk Employee
Splunk Employee

Hi, could the issue be related to the Namespace? I see "chris" is specified in your curl, which would create/modify the object in $SPLUNK_HOME/etc/users/chris/<app>/local/savedsearches.conf, however the object you might be hoping to modify might exist in $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf, so if you try replacing "chris" in your REST call with "nobody" - that may address the right object.

 

Hope this helps.

cwo1010
Explorer

Replacing the username with "nobody" correctly converted the REST API action from a "create new search" action into a "modify an existing search" action.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried URL-encoding the search name?

---
If this reply helps you, Karma would be appreciated.
0 Karma

cwo1010
Explorer

Whoops. It was URL encoded but Splunk Answers converted it back out. Guess I should have stuck that URL into a code block.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...