Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the correct REST endpoint to list ITSI correlation searches?

bondmar30
Engager
‎07-05-2018 11:17 AM

When I try to list the correlation searches defined in ITSI the resulting value is []. This is the REST API call I'm making: | rest /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search.

When I add the /count on the end it returns "count": 40 so I know they are there.

Does anyone have a suggestion on how to get to the correlation searches? The kvstore_to_json.py script is able to but I can't figure out how it's doing it.

Thanks,

Mark Bond

0 Karma
Reply

atsviatkou_splu
Splunk Employee
Splunk Employee
‎10-23-2019 02:37 PM

GET /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search
should give you list of correlation search objects and extra information about them in JSON format
More information in ITSI REST API docs: https://docs.splunk.com/Documentation/ITSI/4.4.0/RESTAPI/ITSIRESTAPIreference#Event_Management_Inter...

Things can get a bit tricky when you use ITSI REST endpoints in context of Splunk searches (by using | rest ).

As of ITSI version 4.3 you can use extra instruction: report_as=text which will hand off data from ITSI to Splunk search engine without extra logic or pre-processing. Then you can extract any information you need in subsequent search instructions.

For example here is a search that will get information from ITSI and display a table of correlation search names and their corresponding SPLs:

| rest "/services/event_management_interface/correlation_search" report_as=text 
| spath input=value 
| rename {}.name AS name, {}.search AS search 
| eval x=mvzip(name,search)
| mvexpand x 
| eval x = split(x,",") 
| eval name=mvindex(x,0) 
| eval search=mvindex(x,1) 
| table name, search

you can use either:

| rest "/servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search" report_as=text

or its shorter form:

| rest "/services/event_management_interface/correlation_search" report_as=text
0 Karma
Reply

shandr
Path Finder
‎05-23-2022 09:27 PM

Hopefully my reply below is useful for anybody who also finds themselves reading this old post.

The technique provided by @atsviatkou_splu is useful--and it has guided me how to get a complete result.

However it was only returning a subset of my Correlation Searches. I now get them all with the SPL below.

1. Correlation Search count

| rest splunk_server=local "/services/event_management_interface/correlation_search/count" report_as=text
| spath input=value
| fields count


2. Correlation Search details

| rest splunk_server=local "/services/event_management_interface/correlation_search" report_as=text
| eval as_json=spath(value,"{}")
| fields as_json
| mvexpand as_json
| eval name=spath(as_json, "name")
| eval search=spath(as_json, "search")
| table name search

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...