Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REST API to Modify ES Correlation Search

cwo1010
Explorer
‎09-30-2020 08:04 AM

Hello,

I am trying to use Splunk's REST API in order to change portions of existing correlation searches created within Enterprise Security. For this test, I created a correlation search called chris_test. It has a description of "Test correlation search". I would like to modify its description to be "AAA". I try to do this as follows:

curl -k -u chris https://essplunk.company.com:8089/servicesNS/chris/SplunkEnterpriseSecuritySuite/saved/searches/Threat%20-%20chris_test%20-%20Rule -d description="EEE" > chris_test.txt

I also tried with:

-X POST -d description="EEE"

In both cases, it doesn't seem to make the update to the correlation search. Can someone help me to better understand what I am doing wrong? Long-term, I'd like to be able to use REST API to update the Next Steps of a notable Adaptive Response via something like:

-d action.notable.param.next_steps="DEMO"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jnussbaum_splun
Splunk Employee
Splunk Employee
‎10-02-2020 09:22 AM

Hi, could the issue be related to the Namespace? I see "chris" is specified in your curl, which would create/modify the object in $SPLUNK_HOME/etc/users/chris/<app>/local/savedsearches.conf, however the object you might be hoping to modify might exist in $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf, so if you try replacing "chris" in your REST call with "nobody" - that may address the right object.

 

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

jnussbaum_splun
Splunk Employee
Splunk Employee
‎10-02-2020 09:22 AM

Hi, could the issue be related to the Namespace? I see "chris" is specified in your curl, which would create/modify the object in $SPLUNK_HOME/etc/users/chris/<app>/local/savedsearches.conf, however the object you might be hoping to modify might exist in $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf, so if you try replacing "chris" in your REST call with "nobody" - that may address the right object.

 

Hope this helps.

Reply
Solved! Jump to solution

cwo1010
Explorer
‎10-02-2020 10:26 AM

Replacing the username with "nobody" correctly converted the REST API action from a "create new search" action into a "modify an existing search" action.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2020 11:16 AM

Have you tried URL-encoding the search name?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

cwo1010
Explorer
‎09-30-2020 11:19 AM

Whoops. It was URL encoded but Splunk Answers converted it back out. Guess I should have stuck that URL into a code block.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...