Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the correct REST endpoint to list ITSI correlation searches?

bondmar30
Engager
‎07-05-2018 11:17 AM

When I try to list the correlation searches defined in ITSI the resulting value is []. This is the REST API call I'm making: | rest /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search.

When I add the /count on the end it returns "count": 40 so I know they are there.

Does anyone have a suggestion on how to get to the correlation searches? The kvstore_to_json.py script is able to but I can't figure out how it's doing it.

Thanks,

Mark Bond

0 Karma
Reply

atsviatkou_splu
Splunk Employee
Splunk Employee
‎10-23-2019 02:37 PM

GET /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search
should give you list of correlation search objects and extra information about them in JSON format
More information in ITSI REST API docs: https://docs.splunk.com/Documentation/ITSI/4.4.0/RESTAPI/ITSIRESTAPIreference#Event_Management_Inter...

Things can get a bit tricky when you use ITSI REST endpoints in context of Splunk searches (by using | rest ).

As of ITSI version 4.3 you can use extra instruction: report_as=text which will hand off data from ITSI to Splunk search engine without extra logic or pre-processing. Then you can extract any information you need in subsequent search instructions.

For example here is a search that will get information from ITSI and display a table of correlation search names and their corresponding SPLs:

| rest "/services/event_management_interface/correlation_search" report_as=text 
| spath input=value 
| rename {}.name AS name, {}.search AS search 
| eval x=mvzip(name,search)
| mvexpand x 
| eval x = split(x,",") 
| eval name=mvindex(x,0) 
| eval search=mvindex(x,1) 
| table name, search

you can use either:

| rest "/servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search" report_as=text

or its shorter form:

| rest "/services/event_management_interface/correlation_search" report_as=text
0 Karma
Reply

shandr
Path Finder
‎05-23-2022 09:27 PM

Hopefully my reply below is useful for anybody who also finds themselves reading this old post.

The technique provided by @atsviatkou_splu is useful--and it has guided me how to get a complete result.

However it was only returning a subset of my Correlation Searches. I now get them all with the SPL below.

1. Correlation Search count

| rest splunk_server=local "/services/event_management_interface/correlation_search/count" report_as=text
| spath input=value
| fields count


2. Correlation Search details

| rest splunk_server=local "/services/event_management_interface/correlation_search" report_as=text
| eval as_json=spath(value,"{}")
| fields as_json
| mvexpand as_json
| eval name=spath(as_json, "name")
| eval search=spath(as_json, "search")
| table name search

 

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top