Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Defining object detail in REST queries?

Iñigo
Explorer
‎02-20-2023 10:49 AM

Hi

I'm running REST queries to retrieve containers that need to be reprocessed in function of the values of some of their artifacts values. My approach is querying the artifacts REST endpoint in this way:

/rest/artifact/?page_size=3000&_filter_name="my artifact of interest"&_filter_update_time__gt="2023-01-01T00:00:00"&_filter_[othercriteria]

The thing is these artifacts are quite heavy and in this particular case I only need their container ID field, so there is no point in retrieving all the other irrelevant fields data. 

If I were querying a single known artifact I could use the object detail specification documented, at https://docs.splunk.com/Documentation/SOARonprem/5.5.0/PlatformAPI/RESTQueryData#Requesting_Object_D...  I haven't seed any similar way do specify which fields shall be retrieved while querying for an object list. Is there any way to do this?

 

Also, Is there any way one can query artifacts whose associated container has some properties?

Right now I'm doing a massive artifact query, a massive container query and matching the results in a playbook. That's something that would be trivial and much more lighter to do by SQL-querying the underlying posrtgresql database.

 

Hints about this would be much appreciated.

Labels (2)
Labels
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎02-21-2023 01:19 AM

@Iñigo you can query for artifact values a few ways, as you have probably seen. The artifact table is always going to be much heavier to query than the container one, for example, due to numbers. 

You can access artifact values through the container rest endpoint such as below:

/rest/container?_filter_artifact__label="event"

Note the double _ which basically jumps to the artifact table but via the container REST endpoint.  With this you should be able to have filters at both container and artifact level and pull back the data possibly in 1 go?

The double _ can be used a lot in this way but requires the field before it to have a context in another table. 

I wish they would put more examples like this in the docs so when you get this working it might be worth adding something to the feedback section of the docs page for REST so they can add something relevant?

-- If this helped solve your issue please mark as a solution! Happy SOARing! --

Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top