- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- REST API - "GET" SavedSearches gets confused? ๐
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
I'm getting trouble listing all my SavedSearches from a SHC, using a command line REST API get.
I'm asking Splunk to list all savedsearches of user "admin" in "MYAPP" app.
For some strange reason, i can't locate, list gets also some other apps ๐๐๐
Here we are,
curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/admin/MYAPP/saved/searches?count=-1' | egrep 'name="app"' | sort -u
... and here what it came from,
<s:key name="app">MYAPP</s:key>
<s:key name="app">MYAPP_backup</s:key>
<s:key name="app">ANOTHER_APP</s:key>
<s:key name="app">search</s:key>
I expect only "<s:key name="app">MYAPP</s:key>" entries, or not?
What's wrong??? ๐๐๐
Linux OS
SPLUNK ENTERPRISE 8.2.12
SHC 3 Nodes (all nodes reponses the same output)
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope. You're mistaking two different things.
One is where the search is defined. Another is where it is visible.
By calling /servicesNS/admin/myapp you're getting a list of apps _visible_ in context of user admin and app myapp. It might as well be defined in another app and shared globally.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahhhhhhhhhhh, here we go!!! It takes also the "sharing=global" objects ๐i understand.
Are there more parameters to filter directly from the GET? I can't read them in Documentation ๐คทโโ๏ธ
(also the "?count=x" is not documented ๐ค)
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The count parameter seems to be a general parameter recognized by all (?) GET endpoints. It's indeed not explicitly documented although it's hinted here https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing
And I don't think you can filter in the REST call itself. You have to get all results and postprocess them yourself - the eai:appName should contain the name of the app the search is defined in.
(and I always use /servicesNS/-/-/ and just filter afterwards).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a beginning for shell... with script parameters (user and app in variables), i'm close enough to what i'm seeking ๐
curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/admin/MYAPP/saved/searches?count=-1' | egrep '<title>|name="app">|name="sharing">|name="owner">|name="disabled">' | grep -v '<title>savedsearch</title>' | sed -n -e '/title/,+4p' | paste - - - - - | grep 'MYAPP' | grep 'title' | sed 's/ //g ; s/\t//g'
Perhaps not perfect, yet... but close ๐
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One hint - while Splunk returns XML by default, it might be easier to use -d output_mode=json with your curl and use the json output - there are more easier available tools for manipulating json in shell than for XML.
So you can "easily" do something like this:
curl -k -u admin:pass https://splunksh:8089/servicesNS/-/-/saved/searches -d output_mode=json -d count=0 --get | jq '.entry | map(.) | .[] | {name: .name, app: .acl.app}' or even
curl -k -u admin:pass https://splunksh:8089/servicesNS/-/-/saved/searches -d output_mode=json -d count=0 --get | jq '.entry | map(.) | .[] | .acl.app + ":" + .name'
(the jq tool is fairly easily available in modern distros while xmlint or similar stuff might not be).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great ๐๐๐
Effectively XML is quite obsolete ๐ด
Thanks again ๐
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Final version... obviously inside a script or an interactive menu with parameters should work fine ๐
curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/-/-/saved/searches' --get -d 'output_mode=json' -d 'count=0' | jq -r ' .entry[] | select(.acl.app == "MYAPP" and .acl.owner == "MYUSER") | .name + " : " + .acl.app + " : " + .author + " : " + .acl.owner + " : " + .acl.sharing + " : " + (.content.disabled|tostring) '
Alternative,
curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/-/-/saved/searches' --get -d 'output_mode=json' -d 'count=0' | jq -r ' .entry[] | select(.acl.app == "MYAPP" and .acl.owner == "MYUSER") | [.name,.acl.app,.author,.acl.owner,.acl.sharing,.content.disabled] | @csv '
Thanks all ๐
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope. You're mistaking two different things.
One is where the search is defined. Another is where it is visible.
By calling /servicesNS/admin/myapp you're getting a list of apps _visible_ in context of user admin and app myapp. It might as well be defined in another app and shared globally.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The REST API gives you also globally shared searches back.
You could try:
1. filter out all searches with name="sharing">global<
2. filter for name="app">MYAPP<
3. use a different user to call the api
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
