Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Where do I specify _key field in the curl command for Threat API?

doodoodonk
Engager
‎07-14-2017 09:14 AM

I am trying to search the ip_intel kvstore for threat intelligence for an IP that I know is already there. I'm just trying to test out the Threat intelligence API based off:

http://docs.splunk.com/Documentation/ES/4.7.2/API/ThreatIntelligenceAPIreference#.2Fservices.2Fdata....

I attempt to use what is in this guide to perform a query for the IP in this kvstore using the following:

curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/ip_intel -d item='{"ip":"10.10.1.1"}' -G -X GET

Response I get from Splunk Enterprise Security 4.7.2 is the following:

{"message": "Found an invalid record in item list. Each record must have _key field.", "status": false}

In the documentation in the link, it lists that this may happen, but it does not show an example curl command where this "_key" field is actually used. I was wondering if anyone has done this and gotten it to work. It is driving me mad. I know this IP exists in this kv_store, but how do I get this API to pull it back?

0 Karma
Reply

sdelicori_splun
Splunk Employee
Splunk Employee
‎08-08-2017 10:45 AM

I've checked in with our dev team and it shouldn't be necessary to provide the _key for this get operation. We already have this identified as an issue to fix in the next maintenance release, which should be 4.7.3. We haven't set a date for that yet, but it will be upcoming this fall. In the meantime, best to follow Kyle's much more currently useful advice.

Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎08-08-2017 09:45 AM

The API is a little tricky as there is a set of "_key" values that are not rendered in the Splunk UI by default. The other thing is the "GET" example is overly complex and incomplete. As an example
curl -k -u 'admin:changeme' https://:8089/services/data/threat_intel/item/ip_intel/adv_ip_all|1.0.0.1

The GET request should basically just have the collection name for the associated indicator (ip_intel, file_intel, http_intel, etc), and then you need to append the _key value. Per the example above, this can be a pipe separated value (remember to escape the pipe or URL encode, depending on how you're making the request). The way you can get the key is documented in the docs examples, but for ip intel you can run this search to get a list of keys:
| ip_intel | eval item_key=_key

As you can tell the actual indicator and _key value are munged together via that pipe separator. I'm not sure if this is always the case, but hopefully this will get you started.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...