Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Rest API Response filtering

manish_navi
Explorer
3 weeks ago

Hello ,

Using the below query i am able to get title and Definition of macros .

|rest /servicesNS/-/-/admin/macros
|table title,definition

Can this same be achievable using https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json 
postman call , that i will get only title and definition in response of an api call .

i tried using filter  f, search as per the documentation but its not giving required response 

Thanks In advance

Labels (1)
Labels
Tags (2)
0 Karma
Reply

deepakc
Builder
3 weeks ago

I dont know about the exact postman config for filtering, but via CLI you can test the below first and assuming you can use a Linux syste. .

For the API call its seems to be called name and not title as I have noticed, this is difference between | rest and calling the API. (dont know why this is...)

Further more If you install the jq command it’s a json processer command, it will help with the two fields you want, if not remove from my command below.

You will need a token created in Splunk.

See my example below

curl -k -H "Authorization: Bearer <YOUR TOKEN>" https://*****:8089/servicesNS/-/-/admin/macros --get -d output_mode=json | jq '.entry[] | {name: .name, definition: .content.definition}'

This should give you the results for the name of the macro and its defintion, optionally output to a json file

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
2 weeks ago

Hi

it seems that when you are using output_mode=json those f=xyz didn't work. Instead of those you must use jq as @deepakc already propose.

curl -ksu $UP 'https://localhost:8089/servicesNS/-/-/admin/macros?count=4&output_mode=json' | jq '.entry[].name'
"3cx_supply_chain_attack_network_indicators_filter"
"7zip_commandline_to_smb_share_path_filter"
"abnormally_high_aws_instances_launched_by_user___mltk_filter"
"abnormally_high_aws_instances_launched_by_user_filter"

You could/should leave comment on doc page where output_mode has defined and add information that if you are using json mode then f=xyz doesn't work. Doc team is really helpful to update that kind of notes into real documentation.

r. Ismo 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

Please show exactly what you tried and tell how the results were not what was expected.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

manish_navi
Explorer
3 weeks ago

@richgalloway  

I was mentioning that by using below query : i can limit the result to show only title and definition

|rest /servicesNS/-/-/admin/macros
|table title,definition

 Would there be a way to do the same with rest API call for macro :
https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json 

While using above api call with postman , i am getting all the fields of results but i am interested in getting the result limited to show only "title" and "Definition"  .
Like below i am getting all fields , can i restrict the results to show only name and Definition of macro

{
    "links": {
        "create": "/servicesNS/-/-/admin/macros/_new",
        "_reload": "/servicesNS/-/-/admin/macros/_reload",
        "_acl": "/servicesNS/-/-/admin/macros/_acl"
    },
    "origin": "https://52.226.64.218:8089/servicesNS/-/-/admin/macros",
    "updated": "2024-04-29T13:11:40+00:00",
    "generator": {
        "build": "78803f08aabb",
        "version": "9.2.1"
    },
    "entry": [
        {
            "name": "3cx_supply_chain_attack_network_indicators_filter",
            "id": "https://52.226.64.218:8089/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
            "updated": "1970-01-01T00:00:00+00:00",
            "links": {
                "alternate": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
                "list": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
                "_reload": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/_reload",
                "edit": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
                "disable": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/disable"
            },
            "author": "nobody",
            "acl": {
                "app": "DA-ESS-ContentUpdate",
                "can_change_perms": true,
                "can_list": true,
                "can_share_app": true,
                "can_share_global": true,
                "can_share_user": false,
                "can_write": true,
                "modifiable": true,
                "owner": "nobody",
                "perms": {
                    "read": [
                        "*"
                    ],
                    "write": [
                        "admin"
                    ]
                },
                "removable": false,
                "sharing": "global"
            },
            "content": {
                "definition": "search *",
                "description": "Update this macro to limit the output results to filter out false positives.",
                "disabled": false,
                "eai:acl": null,
                "eai:appName": "DA-ESS-ContentUpdate",
                "eai:userName": "nobody"
            }
        }
    ],
    "paging": {
        "total": 2195,
        "perPage": 30,
        "offset": 0
    },
    "messages": []
}


0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

You can filter the API response using the parameters described at https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog#Pagination_and_filtering_param...

Try something like this:

https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json&f=title&f=description
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

I believe you have to use the full name of the field ("entry.name", for example).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

manish_navi
Explorer
2 weeks ago

@richgalloway 

I have already tried using this if you see my posted questions , there i have already mentioned that filters parameter f , is not working .

here is the screenshot if what i tried 

 

manish_navi_0-1715147507778.png

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...