Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Defining object detail in REST queries?

Iñigo
Explorer
‎02-20-2023 10:49 AM

Hi

I'm running REST queries to retrieve containers that need to be reprocessed in function of the values of some of their artifacts values. My approach is querying the artifacts REST endpoint in this way:

/rest/artifact/?page_size=3000&_filter_name="my artifact of interest"&_filter_update_time__gt="2023-01-01T00:00:00"&_filter_[othercriteria]

The thing is these artifacts are quite heavy and in this particular case I only need their container ID field, so there is no point in retrieving all the other irrelevant fields data. 

If I were querying a single known artifact I could use the object detail specification documented, at https://docs.splunk.com/Documentation/SOARonprem/5.5.0/PlatformAPI/RESTQueryData#Requesting_Object_D...  I haven't seed any similar way do specify which fields shall be retrieved while querying for an object list. Is there any way to do this?

 

Also, Is there any way one can query artifacts whose associated container has some properties?

Right now I'm doing a massive artifact query, a massive container query and matching the results in a playbook. That's something that would be trivial and much more lighter to do by SQL-querying the underlying posrtgresql database.

 

Hints about this would be much appreciated.

Labels (3)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎02-21-2023 01:19 AM

@Iñigo you can query for artifact values a few ways, as you have probably seen. The artifact table is always going to be much heavier to query than the container one, for example, due to numbers. 

You can access artifact values through the container rest endpoint such as below:

/rest/container?_filter_artifact__label="event"

Note the double _ which basically jumps to the artifact table but via the container REST endpoint.  With this you should be able to have filters at both container and artifact level and pull back the data possibly in 1 go?

The double _ can be used a lot in this way but requires the field before it to have a context in another table. 

I wish they would put more examples like this in the docs so when you get this working it might be worth adding something to the feedback section of the docs page for REST so they can add something relevant?

-- If this helped solve your issue please mark as a solution! Happy SOARing! --

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...