Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where can I find documentation on how to update a macro by using the API?

whiterd434
Explorer
‎09-20-2018 01:00 PM

I have successfully used the code below to create a macro (POST using 'requests' with Python). However, I have been unable to find any documentation that states this being possible. Based on the error messages I came across, "definition" is known as a "handler" within the Splunk API. I am trying to find any other "handlers" that I can target for updating macros. The main thing I would like to accomplish now is to change the permission level of a newly created macro to the app it is inside of (since it defaults to owner only).

payload = {'definition': 'query here'}
URL = 'root/servicesNS/username/app_name/admin/macros/macro_name'

Thank you for your time.
-Randall

Tags (2)
0 Karma
Reply

stephaniem_splu
Splunk Employee
Splunk Employee
‎10-23-2018 01:29 PM

Typically you can use handlers to update conf files (such as the services/data/transforms endpoint for transforms.conf), but macros are an exception. The Splunk REST API does not offer any dedicated handlers for macros.

You can use the /acl endpoint to change permissions (as you discovered), or you can use the /properties or /configs handlers to manipulate macros.conf files directly: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTconf

Reply

whiterd434
Explorer
‎09-21-2018 06:12 AM

I do know where the Splunk documentation is and have already made extensive use of it to get to this point.

0 Karma
Reply

whiterd434
Explorer
‎09-21-2018 07:15 AM

I found part of my answer. While I still cannot find specific documentation on creating/updating macros through the API, I found how to update the scope after the fact.

payload = {'owner': 'username', 'sharing': 'app'}
URL = 'root/servicesNS/username/app_name/admin/macros/macro_name/acl'

Access Control List Documentation

Reply

paulbannister
Communicator
‎09-21-2018 03:32 AM

Hi There,

Would the below documentation be of use to you:

http://dev.splunk.com/restapi
http://docs.splunk.com/Documentation/Splunk/7.1.3/RESTTUT/RESTbasicexamples

0 Karma
Reply

whiterd434
Explorer
‎09-21-2018 06:11 AM

Thank you for the response, but the links provided do not provide any information on creating/updating a macro through use of the API. I should have been more specific. I have already searched everything I can think of. The closest I have been able to come is the documentation for "saved searches", but I have been unable to figure out how to modify the app scope of a given macro.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...