Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Defining object detail in REST queries?

Iñigo
Explorer
‎02-20-2023 10:49 AM

Hi

I'm running REST queries to retrieve containers that need to be reprocessed in function of the values of some of their artifacts values. My approach is querying the artifacts REST endpoint in this way:

/rest/artifact/?page_size=3000&_filter_name="my artifact of interest"&_filter_update_time__gt="2023-01-01T00:00:00"&_filter_[othercriteria]

The thing is these artifacts are quite heavy and in this particular case I only need their container ID field, so there is no point in retrieving all the other irrelevant fields data. 

If I were querying a single known artifact I could use the object detail specification documented, at https://docs.splunk.com/Documentation/SOARonprem/5.5.0/PlatformAPI/RESTQueryData#Requesting_Object_D...  I haven't seed any similar way do specify which fields shall be retrieved while querying for an object list. Is there any way to do this?

 

Also, Is there any way one can query artifacts whose associated container has some properties?

Right now I'm doing a massive artifact query, a massive container query and matching the results in a playbook. That's something that would be trivial and much more lighter to do by SQL-querying the underlying posrtgresql database.

 

Hints about this would be much appreciated.

Labels (3)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎02-21-2023 01:19 AM

@Iñigo you can query for artifact values a few ways, as you have probably seen. The artifact table is always going to be much heavier to query than the container one, for example, due to numbers. 

You can access artifact values through the container rest endpoint such as below:

/rest/container?_filter_artifact__label="event"

Note the double _ which basically jumps to the artifact table but via the container REST endpoint.  With this you should be able to have filters at both container and artifact level and pull back the data possibly in 1 go?

The double _ can be used a lot in this way but requires the field before it to have a context in another table. 

I wish they would put more examples like this in the docs so when you get this working it might be worth adding something to the feedback section of the docs page for REST so they can add something relevant?

-- If this helped solve your issue please mark as a solution! Happy SOARing! --

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...