Re: Splunk Rest API Response filtering

manish_navi

Hello ,

Using the below query i am able to get title and Definition of macros .

|rest /servicesNS/-/-/admin/macros
|table title,definition

Can this same be achievable using https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json
postman call , that i will get only title and definition in response of an api call .

i tried using filter f, search as per the documentation but its not giving required response

Thanks In advance

deepakc

I dont know about the exact postman config for filtering, but via CLI you can test the below first and assuming you can use a Linux syste. .

For the API call its seems to be called name and not title as I have noticed, this is difference between | rest and calling the API. (dont know why this is...)

Further more If you install the jq command it’s a json processer command, it will help with the two fields you want, if not remove from my command below.

You will need a token created in Splunk.

See my example below

curl -k -H "Authorization: Bearer <YOUR TOKEN>" https://*****:8089/servicesNS/-/-/admin/macros --get -d output_mode=json | jq '.entry[] | {name: .name, definition: .content.definition}'

This should give you the results for the name of the macro and its defintion, optionally output to a json file

isoutamo

Hi

it seems that when you are using output_mode=json those f=xyz didn't work. Instead of those you must use jq as @deepakc already propose.

curl -ksu $UP 'https://localhost:8089/servicesNS/-/-/admin/macros?count=4&output_mode=json' | jq '.entry[].name'
"3cx_supply_chain_attack_network_indicators_filter"
"7zip_commandline_to_smb_share_path_filter"
"abnormally_high_aws_instances_launched_by_user___mltk_filter"
"abnormally_high_aws_instances_launched_by_user_filter"

You could/should leave comment on doc page where output_mode has defined and add information that if you are using json mode then f=xyz doesn't work. Doc team is really helpful to update that kind of notes into real documentation.

r. Ismo

richgalloway

Please show exactly what you tried and tell how the results were not what was expected.

---
If this reply helps you, Karma would be appreciated.

manish_navi

@richgalloway

I was mentioning that by using below query : i can limit the result to show only title and definition

|rest /servicesNS/-/-/admin/macros
|table title,definition

Would there be a way to do the same with rest API call for macro :
https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json

While using above api call with postman , i am getting all the fields of results but i am interested in getting the result limited to show only "title" and "Definition" .
Like below i am getting all fields , can i restrict the results to show only name and Definition of macro

{
    "links": {
        "create": "/servicesNS/-/-/admin/macros/_new",
        "_reload": "/servicesNS/-/-/admin/macros/_reload",
        "_acl": "/servicesNS/-/-/admin/macros/_acl"
    },
    "origin": "https://52.226.64.218:8089/servicesNS/-/-/admin/macros",
    "updated": "2024-04-29T13:11:40+00:00",
    "generator": {
        "build": "78803f08aabb",
        "version": "9.2.1"
    },
    "entry": [
        {
            "name": "3cx_supply_chain_attack_network_indicators_filter",
            "id": "https://52.226.64.218:8089/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
            "updated": "1970-01-01T00:00:00+00:00",
            "links": {
                "alternate": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
                "list": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
                "_reload": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/_reload",
                "edit": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter",
                "disable": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/disable"
            },
            "author": "nobody",
            "acl": {
                "app": "DA-ESS-ContentUpdate",
                "can_change_perms": true,
                "can_list": true,
                "can_share_app": true,
                "can_share_global": true,
                "can_share_user": false,
                "can_write": true,
                "modifiable": true,
                "owner": "nobody",
                "perms": {
                    "read": [
                        "*"
                    ],
                    "write": [
                        "admin"
                    ]
                },
                "removable": false,
                "sharing": "global"
            },
            "content": {
                "definition": "search *",
                "description": "Update this macro to limit the output results to filter out false positives.",
                "disabled": false,
                "eai:acl": null,
                "eai:appName": "DA-ESS-ContentUpdate",
                "eai:userName": "nobody"
            }
        }
    ],
    "paging": {
        "total": 2195,
        "perPage": 30,
        "offset": 0
    },
    "messages": []
}

richgalloway

You can filter the API response using the parameters described at https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog#Pagination_and_filtering_param...

Try something like this:

https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json&f=title&f=description

---
If this reply helps you, Karma would be appreciated.

richgalloway

I believe you have to use the full name of the field ("entry.name", for example).

---
If this reply helps you, Karma would be appreciated.

manish_navi

@richgalloway

I have already tried using this if you see my posted questions , there i have already mentioned that filters parameter f , is not working .

here is the screenshot if what i tried

Splunk Rest API Response filtering

using Splunk Enterprise

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...