GET /servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search
should give you list of correlation search objects and extra information about them in JSON format
More information in ITSI REST API docs: https://docs.splunk.com/Documentation/ITSI/4.4.0/RESTAPI/ITSIRESTAPIreference#Event_Management_Interface
Things can get a bit tricky when you use ITSI REST endpoints in context of Splunk searches (by using | rest ).
As of ITSI version 4.3 you can use extra instruction: report_as=text which will hand off data from ITSI to Splunk search engine without extra logic or pre-processing. Then you can extract any information you need in subsequent search instructions.
For example here is a search that will get information from ITSI and display a table of correlation search names and their corresponding SPLs:
| rest "/services/event_management_interface/correlation_search" report_as=text
| spath input=value
| rename {}.name AS name, {}.search AS search
| eval x=mvzip(name,search)
| mvexpand x
| eval x = split(x,",")
| eval name=mvindex(x,0)
| eval search=mvindex(x,1)
| table name, search
you can use either:
| rest "/servicesNS/nobody/SA-ITOA/event_management_interface/correlation_search" report_as=text
or its shorter form:
| rest "/services/event_management_interface/correlation_search" report_as=text
... View more