Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Defining object detail in REST queries?

Iñigo
Explorer
‎02-20-2023 10:49 AM

Hi

I'm running REST queries to retrieve containers that need to be reprocessed in function of the values of some of their artifacts values. My approach is querying the artifacts REST endpoint in this way:

/rest/artifact/?page_size=3000&_filter_name="my artifact of interest"&_filter_update_time__gt="2023-01-01T00:00:00"&_filter_[othercriteria]

The thing is these artifacts are quite heavy and in this particular case I only need their container ID field, so there is no point in retrieving all the other irrelevant fields data. 

If I were querying a single known artifact I could use the object detail specification documented, at https://docs.splunk.com/Documentation/SOARonprem/5.5.0/PlatformAPI/RESTQueryData#Requesting_Object_D...  I haven't seed any similar way do specify which fields shall be retrieved while querying for an object list. Is there any way to do this?

 

Also, Is there any way one can query artifacts whose associated container has some properties?

Right now I'm doing a massive artifact query, a massive container query and matching the results in a playbook. That's something that would be trivial and much more lighter to do by SQL-querying the underlying posrtgresql database.

 

Hints about this would be much appreciated.

Labels (3)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎02-21-2023 01:19 AM

@Iñigo you can query for artifact values a few ways, as you have probably seen. The artifact table is always going to be much heavier to query than the container one, for example, due to numbers. 

You can access artifact values through the container rest endpoint such as below:

/rest/container?_filter_artifact__label="event"

Note the double _ which basically jumps to the artifact table but via the container REST endpoint.  With this you should be able to have filters at both container and artifact level and pull back the data possibly in 1 go?

The double _ can be used a lot in this way but requires the field before it to have a context in another table. 

I wish they would put more examples like this in the docs so when you get this working it might be worth adding something to the feedback section of the docs page for REST so they can add something relevant?

-- If this helped solve your issue please mark as a solution! Happy SOARing! --

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...