Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the correct REST endpoint to list ITSI correlation searches?

bondmar30
Engager
‎07-05-2018 11:17 AM

When I try to list the correlation searches defined in ITSI the resulting value is []. This is the REST API call I'm making: | rest /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search.

When I add the /count on the end it returns "count": 40 so I know they are there.

Does anyone have a suggestion on how to get to the correlation searches? The kvstore_to_json.py script is able to but I can't figure out how it's doing it.

Thanks,

Mark Bond

0 Karma
Reply

atsviatkou_splu
Splunk Employee
Splunk Employee
‎10-23-2019 02:37 PM

GET /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search
should give you list of correlation search objects and extra information about them in JSON format
More information in ITSI REST API docs: https://docs.splunk.com/Documentation/ITSI/4.4.0/RESTAPI/ITSIRESTAPIreference#Event_Management_Inter...

Things can get a bit tricky when you use ITSI REST endpoints in context of Splunk searches (by using | rest ).

As of ITSI version 4.3 you can use extra instruction: report_as=text which will hand off data from ITSI to Splunk search engine without extra logic or pre-processing. Then you can extract any information you need in subsequent search instructions.

For example here is a search that will get information from ITSI and display a table of correlation search names and their corresponding SPLs:

| rest "/services/event_management_interface/correlation_search" report_as=text 
| spath input=value 
| rename {}.name AS name, {}.search AS search 
| eval x=mvzip(name,search)
| mvexpand x 
| eval x = split(x,",") 
| eval name=mvindex(x,0) 
| eval search=mvindex(x,1) 
| table name, search

you can use either:

| rest "/servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search" report_as=text

or its shorter form:

| rest "/services/event_management_interface/correlation_search" report_as=text
0 Karma
Reply

shandr
Path Finder
‎05-23-2022 09:27 PM

Hopefully my reply below is useful for anybody who also finds themselves reading this old post.

The technique provided by @atsviatkou_splu is useful--and it has guided me how to get a complete result.

However it was only returning a subset of my Correlation Searches. I now get them all with the SPL below.

1. Correlation Search count

| rest splunk_server=local "/services/event_management_interface/correlation_search/count" report_as=text
| spath input=value
| fields count


2. Correlation Search details

| rest splunk_server=local "/services/event_management_interface/correlation_search" report_as=text
| eval as_json=spath(value,"{}")
| fields as_json
| mvexpand as_json
| eval name=spath(as_json, "name")
| eval search=spath(as_json, "search")
| table name search

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...