This one works fine.

Thanks,

If the answer suits your needs, accept or upvote please.

Unfortunately this is not what we need. We want to query whether an IP address is in the ip_intel collection. This curl command returns the item with the key. We want the item that match a given ip address.

Thanks.

Found this one:
https://answers.splunk.com/answers/555780/splunk-enterprise-security-where-do-i-specify-key.html
Seems to be a bug in 4.7.2, which is the one I am using now.

The alternative way is to use the Splunk SDK to run a search:
search | inputlookup ip_intel | search ip="58.64.179.144" | eval item_key = _key
This will give you the key:
fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d

Then you can use the url given by tiagofbmm to fetch information or to delete.

Thanks for your reply.
Sorry about my typo. I actually tried with double quotes.

curl -k -u admin:pass https://localhost:8089/services/data/threat_intel/item/ip_intel -d item='{"ip":"58.64.179.144"}' -G -X GET

Just verified again, and still get the same error:
{"message": "Found an invalid record in item list. Each record must have _key field.", "status": false}

I am using Splunk Enterprise 6.6.1 and Splunk ES 4.7.2.

Thanks.

Just one more information. We did not add any ip_intel to the collections. Those ip_intel must be the same as the initial installation of Splunk ES.

Also a search from the search page of Splunk ES works fine. This should not be caused by a collapsed ip_intel collection.