Splunk IT Service Intelligence

What is the correct REST endpoint to list ITSI correlation searches?

bondmar30
Engager

When I try to list the correlation searches defined in ITSI the resulting value is []. This is the REST API call I'm making: | rest /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search.

When I add the /count on the end it returns "count": 40 so I know they are there.

Does anyone have a suggestion on how to get to the correlation searches? The kvstore_to_json.py script is able to but I can't figure out how it's doing it.

Thanks,

Mark Bond

0 Karma

atsviatkou_splu
Splunk Employee
Splunk Employee

GET /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search
should give you list of correlation search objects and extra information about them in JSON format
More information in ITSI REST API docs: https://docs.splunk.com/Documentation/ITSI/4.4.0/RESTAPI/ITSIRESTAPIreference#Event_Management_Inter...

Things can get a bit tricky when you use ITSI REST endpoints in context of Splunk searches (by using | rest ).

As of ITSI version 4.3 you can use extra instruction: report_as=text which will hand off data from ITSI to Splunk search engine without extra logic or pre-processing. Then you can extract any information you need in subsequent search instructions.

For example here is a search that will get information from ITSI and display a table of correlation search names and their corresponding SPLs:

| rest "/services/event_management_interface/correlation_search" report_as=text 
| spath input=value 
| rename {}.name AS name, {}.search AS search 
| eval x=mvzip(name,search)
| mvexpand x 
| eval x = split(x,",") 
| eval name=mvindex(x,0) 
| eval search=mvindex(x,1) 
| table name, search

you can use either:

| rest "/servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search" report_as=text 

or its shorter form:

| rest "/services/event_management_interface/correlation_search" report_as=text 
0 Karma

shandr
Path Finder

Hopefully my reply below is useful for anybody who also finds themselves reading this old post.

The technique provided by @atsviatkou_splu is useful--and it has guided me how to get a complete result.

However it was only returning a subset of my Correlation Searches. I now get them all with the SPL below.

1. Correlation Search count

| rest splunk_server=local "/services/event_management_interface/correlation_search/count" report_as=text
| spath input=value
| fields count


2. Correlation Search details

| rest splunk_server=local "/services/event_management_interface/correlation_search" report_as=text
| eval as_json=spath(value,"{}")
| fields as_json
| mvexpand as_json
| eval name=spath(as_json, "name")
| eval search=spath(as_json, "search")
| table name search

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...