Hello ,
Using the below query i am able to get title and Definition of macros .
|rest /servicesNS/-/-/admin/macros
|table title,definition
Can this same be achievable using https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json
postman call , that i will get only title and definition in response of an api call .
i tried using filter f, search as per the documentation but its not giving required response
Thanks In advance
I dont know about the exact postman config for filtering, but via CLI you can test the below first and assuming you can use a Linux syste. .
For the API call its seems to be called name and not title as I have noticed, this is difference between | rest and calling the API. (dont know why this is...)
Further more If you install the jq command it’s a json processer command, it will help with the two fields you want, if not remove from my command below.
You will need a token created in Splunk.
See my example below
curl -k -H "Authorization: Bearer <YOUR TOKEN>" https://*****:8089/servicesNS/-/-/admin/macros --get -d output_mode=json | jq '.entry[] | {name: .name, definition: .content.definition}'
This should give you the results for the name of the macro and its defintion, optionally output to a json file
Hi
it seems that when you are using output_mode=json those f=xyz didn't work. Instead of those you must use jq as @deepakc already propose.
curl -ksu $UP 'https://localhost:8089/servicesNS/-/-/admin/macros?count=4&output_mode=json' | jq '.entry[].name'
"3cx_supply_chain_attack_network_indicators_filter"
"7zip_commandline_to_smb_share_path_filter"
"abnormally_high_aws_instances_launched_by_user___mltk_filter"
"abnormally_high_aws_instances_launched_by_user_filter"
You could/should leave comment on doc page where output_mode has defined and add information that if you are using json mode then f=xyz doesn't work. Doc team is really helpful to update that kind of notes into real documentation.
r. Ismo
The jq was a suggestion, and an optional command to help with filtering, if they can't use it, then they have to find an alternative method.
Please show exactly what you tried and tell how the results were not what was expected.
@richgalloway
I was mentioning that by using below query : i can limit the result to show only title and definition
|rest /servicesNS/-/-/admin/macros
|table title,definition
Would there be a way to do the same with rest API call for macro :
https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json
While using above api call with postman , i am getting all the fields of results but i am interested in getting the result limited to show only "title" and "Definition" .
Like below i am getting all fields , can i restrict the results to show only name and Definition of macro
{
"links": {
"create": "/servicesNS/-/-/admin/macros/_new",
"_reload": "/servicesNS/-/-/admin/macros/_reload",
"_acl": "/servicesNS/-/-/admin/macros/_acl"
},
"origin": "https://52.226.64.218:8089/servicesNS/-/-/admin/macros",
"updated": "2024-04-29T13:11:40+00:00",
"generator": {
"build": "78803f08aabb",
"version": "9.2.1"
},
"entry": [
{
"name": "3cx_supply_chain_attack_network_indicators_filter",
"id": "https://52.226.64.218:8089/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
"updated": "1970-01-01T00:00:00+00:00",
"links": {
"alternate": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
"list": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
"_reload": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/_reload",
"edit": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
"disable": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/disable"
},
"author": "nobody",
"acl": {
"app": "DA-ESS-ContentUpdate",
"can_change_perms": true,
"can_list": true,
"can_share_app": true,
"can_share_global": true,
"can_share_user": false,
"can_write": true,
"modifiable": true,
"owner": "nobody",
"perms": {
"read": [
"*"
],
"write": [
"admin"
]
},
"removable": false,
"sharing": "global"
},
"content": {
"definition": "search *",
"description": "Update this macro to limit the output results to filter out false positives.",
"disabled": false,
"eai:acl": null,
"eai:appName": "DA-ESS-ContentUpdate",
"eai:userName": "nobody"
}
}
],
"paging": {
"total": 2195,
"perPage": 30,
"offset": 0
},
"messages": []
}
You can filter the API response using the parameters described at https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog#Pagination_and_filtering_param...
Try something like this:
https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json&f=title&f=description
I believe you have to use the full name of the field ("entry.name", for example).
@richgalloway would be helpful , if you can give screenshot of working solution , as i have tried this as well and no luck
@richgalloway
I have already tried using this if you see my posted questions , there i have already mentioned that filters parameter f , is not working .
here is the screenshot if what i tried