Is there a lookup I can use to create a custom table of active investigations? I am trying to create a table that shows all active investigations, as users by default cannot see investigations if they are not collaborators. This table will let all analysts see every active investigation, at least in an initial way. I saw this thread, but that lookup doesn't appear to work.
Bumping this thread as this is very useful information that does not seem to have a lot of documentation surrounding it.
The only way I found. Thanks to PS.
Unfortunately, there’s no way to do this currently.
The issue isn’t with the JSON format. The permissions on that particular KV Store collection are purposefully locked down. Changing those permissions is heavily advised against internally.
Running the | rest command in Search against that endpoint will not produce any results. The only way to get that data is to run a curl command from the command line. The screenshots below show both cases. As for the command line output, that’s standard JSON that could be indexed and searched on.
@robjackon would you mind re-attaching the screenshots below. I would love to see the curl commands to pull this info. Thanks for the info!
I really need a solution to this problem.
You need to know that the KV Store collections are named investigative_canvas_entries
and investigative_canvas
. Then do what is listed here to use inputlookup
to dump the collection data:
http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEZW
this doesnt work.
I neglected to mention that you have to create a lookup definition
pointing to the collection
and then use inputlookup
against the lookup definition
, not the collection
.
Hi @woodcock I tried using inputlookup
and that returns the error, "The lookup table 'investigative_canvas_entries' is invalid." But There are multiple investigations already created. Can you expand on what you meant by "do what is listed here..."
| inputlookup investigative_canvas_entries