Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Rest API Response filtering

manish_navi
Explorer
‎04-26-2024 04:25 AM

Hello ,

Using the below query i am able to get title and Definition of macros .

|rest /servicesNS/-/-/admin/macros
|table title,definition

Can this same be achievable using https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json 
postman call , that i will get only title and definition in response of an api call .

i tried using filter  f, search as per the documentation but its not giving required response 

Thanks In advance

Labels (1)
Labels
Tags (2)
0 Karma
Reply

deepakc
Builder
‎04-26-2024 05:38 AM

I dont know about the exact postman config for filtering, but via CLI you can test the below first and assuming you can use a Linux syste. .

For the API call its seems to be called name and not title as I have noticed, this is difference between | rest and calling the API. (dont know why this is...)

Further more If you install the jq command it’s a json processer command, it will help with the two fields you want, if not remove from my command below.

You will need a token created in Splunk.

See my example below

curl -k -H "Authorization: Bearer <YOUR TOKEN>" https://*****:8089/servicesNS/-/-/admin/macros --get -d output_mode=json | jq '.entry[] | {name: .name, definition: .content.definition}'

This should give you the results for the name of the macro and its defintion, optionally output to a json file

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-08-2024 06:44 AM

Hi

it seems that when you are using output_mode=json those f=xyz didn't work. Instead of those you must use jq as @deepakc already propose.

curl -ksu $UP 'https://localhost:8089/servicesNS/-/-/admin/macros?count=4&output_mode=json' | jq '.entry[].name'
"3cx_supply_chain_attack_network_indicators_filter"
"7zip_commandline_to_smb_share_path_filter"
"abnormally_high_aws_instances_launched_by_user___mltk_filter"
"abnormally_high_aws_instances_launched_by_user_filter"

You could/should leave comment on doc page where output_mode has defined and add information that if you are using json mode then f=xyz doesn't work. Doc team is really helpful to update that kind of notes into real documentation.

r. Ismo 

0 Karma
Reply

manish_navi
Explorer
3 weeks ago

@deepakc and @isoutamo  , If this require installation of JQ , then it would not be possible , because if i want my customer to use the application , and prerequisite is to install the JQ widget , I simply cant force my customer.

0 Karma
Reply

deepakc
Builder
3 weeks ago

The jq was a suggestion, and an optional command to help with filtering, if they can't use it, then they have to find an alternative method.  

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2024 04:55 AM

Please show exactly what you tried and tell how the results were not what was expected.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

manish_navi
Explorer
‎04-29-2024 06:13 AM

@richgalloway  

I was mentioning that by using below query : i can limit the result to show only title and definition

|rest /servicesNS/-/-/admin/macros
|table title,definition

 Would there be a way to do the same with rest API call for macro :
https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json 

While using above api call with postman , i am getting all the fields of results but i am interested in getting the result limited to show only "title" and "Definition"  .
Like below i am getting all fields , can i restrict the results to show only name and Definition of macro

{
    "links": {
        "create": "/servicesNS/-/-/admin/macros/_new",
        "_reload": "/servicesNS/-/-/admin/macros/_reload",
        "_acl": "/servicesNS/-/-/admin/macros/_acl"
    },
    "origin": "https://52.226.64.218:8089/servicesNS/-/-/admin/macros",
    "updated": "2024-04-29T13:11:40+00:00",
    "generator": {
        "build": "78803f08aabb",
        "version": "9.2.1"
    },
    "entry": [
        {
            "name": "3cx_supply_chain_attack_network_indicators_filter",
            "id": "https://52.226.64.218:8089/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
            "updated": "1970-01-01T00:00:00+00:00",
            "links": {
                "alternate": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
                "list": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
                "_reload": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/_reload",
                "edit": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
                "disable": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/disable"
            },
            "author": "nobody",
            "acl": {
                "app": "DA-ESS-ContentUpdate",
                "can_change_perms": true,
                "can_list": true,
                "can_share_app": true,
                "can_share_global": true,
                "can_share_user": false,
                "can_write": true,
                "modifiable": true,
                "owner": "nobody",
                "perms": {
                    "read": [
                        "*"
                    ],
                    "write": [
                        "admin"
                    ]
                },
                "removable": false,
                "sharing": "global"
            },
            "content": {
                "definition": "search *",
                "description": "Update this macro to limit the output results to filter out false positives.",
                "disabled": false,
                "eai:acl": null,
                "eai:appName": "DA-ESS-ContentUpdate",
                "eai:userName": "nobody"
            }
        }
    ],
    "paging": {
        "total": 2195,
        "perPage": 30,
        "offset": 0
    },
    "messages": []
}


0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2024 07:15 AM

You can filter the API response using the parameters described at https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog#Pagination_and_filtering_param...

Try something like this:

https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json&f=title&f=description
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-08-2024 05:09 AM

I believe you have to use the full name of the field ("entry.name", for example).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

manish_navi
Explorer
3 weeks ago

@richgalloway would be helpful , if you can give screenshot of working solution , as i have tried this as well and no luck

0 Karma
Reply

manish_navi
Explorer
‎05-07-2024 10:49 PM

@richgalloway 

I have already tried using this if you see my posted questions , there i have already mentioned that filters parameter f , is not working .

here is the screenshot if what i tried 

 

manish_navi_0-1715147507778.png

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...