Splunk Enterprise

REST API - "GET" SavedSearches gets confused? 🙄

verbal_666
Builder

Hello.
I'm getting trouble listing all my SavedSearches from a SHC, using a command line REST API get.

I'm asking Splunk to list all savedsearches of user "admin" in "MYAPP" app.

For some strange reason, i can't locate, list gets also some other apps 🙄🙄🙄

Here we are,

 

curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/admin/MYAPP/saved/searches?count=-1' | egrep 'name="app"' | sort -u

 

... and here what it came from,

 

<s:key name="app">MYAPP</s:key>
<s:key name="app">MYAPP_backup</s:key>
<s:key name="app">ANOTHER_APP</s:key>
<s:key name="app">search</s:key>

 

 

I expect only "<s:key name="app">MYAPP</s:key>" entries, or not?
What's wrong??? 😏😏😏

Linux OS
SPLUNK ENTERPRISE 8.2.12
SHC 3 Nodes (all nodes reponses the same output)

Thanks.

0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Nope. You're mistaking two different things.

One is where the search is defined. Another is where it is visible.

By calling /servicesNS/admin/myapp you're getting a list of apps _visible_ in context of user admin and app myapp. It might as well be defined in another app and shared globally.

View solution in original post

verbal_666
Builder

Ahhhhhhhhhhh, here we go!!! It takes also the "sharing=global" objects 🙄i understand.
Are there more parameters to filter directly from the GET? I can't read them in Documentation 🤷‍♀️
(also the "?count=x" is not documented 🤔)
Thanks.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The count parameter seems to be a general parameter recognized by all (?) GET endpoints. It's indeed not explicitly documented although it's hinted here https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing

And I don't think you can filter in the REST call itself. You have to get all results and postprocess them yourself - the eai:appName should contain the name of the app the search is defined in.

(and I always use /servicesNS/-/-/ and just filter afterwards).

0 Karma

verbal_666
Builder

Just a beginning for shell... with script parameters (user and app in variables), i'm close enough to what i'm seeking 😀

 

curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/admin/MYAPP/saved/searches?count=-1' | egrep '<title>|name="app">|name="sharing">|name="owner">|name="disabled">' | grep -v '<title>savedsearch</title>' | sed -n -e '/title/,+4p' | paste - - - - - | grep 'MYAPP' | grep 'title' | sed 's/ //g ; s/\t//g'

 

Perhaps not perfect, yet... but close 😀

Thanks.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

One hint - while Splunk returns XML by default, it might be easier to use -d output_mode=json with your curl and use the json output - there are more easier available tools for manipulating json in shell than for XML.

So you can "easily" do something like this:

curl -k -u admin:pass https://splunksh:8089/servicesNS/-/-/saved/searches -d output_mode=json -d count=0 --get | jq '.entry | map(.) | .[] | {name: .name, app: .acl.app}' 

or even

curl -k -u admin:pass https://splunksh:8089/servicesNS/-/-/saved/searches -d output_mode=json -d count=0 --get | jq '.entry | map(.) | .[] | .acl.app + ":" + .name' 

 (the jq tool is fairly easily available in modern distros while xmlint or similar stuff might not be).

verbal_666
Builder

Great 👏👏👍

Effectively XML is quite obsolete 😴

Thanks again 👍

0 Karma

verbal_666
Builder

Final version... obviously inside a script or an interactive menu with parameters should work fine 👍

 

curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/-/-/saved/searches' --get -d 'output_mode=json' -d 'count=0' | jq -r ' .entry[] | select(.acl.app == "MYAPP" and .acl.owner == "MYUSER") | .name + " : " + .acl.app + " : " + .author + " : " + .acl.owner + " : " + .acl.sharing + " : " + (.content.disabled|tostring) '

 

Alternative,

 

curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/-/-/saved/searches' --get -d 'output_mode=json' -d 'count=0' | jq -r ' .entry[] | select(.acl.app == "MYAPP" and .acl.owner == "MYUSER") | [.name,.acl.app,.author,.acl.owner,.acl.sharing,.content.disabled] | @csv '

 

Thanks all 👍

PickleRick
SplunkTrust
SplunkTrust

Nope. You're mistaking two different things.

One is where the search is defined. Another is where it is visible.

By calling /servicesNS/admin/myapp you're getting a list of apps _visible_ in context of user admin and app myapp. It might as well be defined in another app and shared globally.

PaulPanther
Motivator

The REST API gives you also globally shared searches back.

You could try:

1.  filter out all searches with name="sharing">global<

2. filter for name="app">MYAPP<

3. use a different user to call the api

 

Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques

Hello! We are excited to kick off a new series of blogs from SplunkTrust member ITWhisperer, who demonstrates ...

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...