Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the correct REST endpoint to list ITSI correlation searches?

bondmar30
Engager
‎07-05-2018 11:17 AM

When I try to list the correlation searches defined in ITSI the resulting value is []. This is the REST API call I'm making: | rest /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search.

When I add the /count on the end it returns "count": 40 so I know they are there.

Does anyone have a suggestion on how to get to the correlation searches? The kvstore_to_json.py script is able to but I can't figure out how it's doing it.

Thanks,

Mark Bond

0 Karma
Reply

atsviatkou_splu
Splunk Employee
Splunk Employee
‎10-23-2019 02:37 PM

GET /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search
should give you list of correlation search objects and extra information about them in JSON format
More information in ITSI REST API docs: https://docs.splunk.com/Documentation/ITSI/4.4.0/RESTAPI/ITSIRESTAPIreference#Event_Management_Inter...

Things can get a bit tricky when you use ITSI REST endpoints in context of Splunk searches (by using | rest ).

As of ITSI version 4.3 you can use extra instruction: report_as=text which will hand off data from ITSI to Splunk search engine without extra logic or pre-processing. Then you can extract any information you need in subsequent search instructions.

For example here is a search that will get information from ITSI and display a table of correlation search names and their corresponding SPLs:

| rest "/services/event_management_interface/correlation_search" report_as=text 
| spath input=value 
| rename {}.name AS name, {}.search AS search 
| eval x=mvzip(name,search)
| mvexpand x 
| eval x = split(x,",") 
| eval name=mvindex(x,0) 
| eval search=mvindex(x,1) 
| table name, search

you can use either:

| rest "/servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search" report_as=text

or its shorter form:

| rest "/services/event_management_interface/correlation_search" report_as=text
0 Karma
Reply

shandr
Path Finder
‎05-23-2022 09:27 PM

Hopefully my reply below is useful for anybody who also finds themselves reading this old post.

The technique provided by @atsviatkou_splu is useful--and it has guided me how to get a complete result.

However it was only returning a subset of my Correlation Searches. I now get them all with the SPL below.

1. Correlation Search count

| rest splunk_server=local "/services/event_management_interface/correlation_search/count" report_as=text
| spath input=value
| fields count


2. Correlation Search details

| rest splunk_server=local "/services/event_management_interface/correlation_search" report_as=text
| eval as_json=spath(value,"{}")
| fields as_json
| mvexpand as_json
| eval name=spath(as_json, "name")
| eval search=spath(as_json, "search")
| table name search

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top