Using the rest command to work with data from REST API endpoints
You're looking to use the rest
command to retrieve and analyze key Splunk Enterprise Security data from Splunk REST API endpoints, giving you access to a wealth of system data directly from the search bar.
Solution
This three-part video series shows you how to use the rest
command to uncover valuable insights about correlation searches, lookup tables, and dashboards in your Splunk Enterprise Security environment.
Video 1: Correlation searches
In the first video, you learn how to:
- Use the
rest
command to retrieve details about enabled correlation searches. - Filter results to show only active searches by matching specific fields like
action.correlationsearch.enabled
and excluding explicitly disabled searches. - Generate a list of operational correlation searches to better understand your environment.
Video 2: Lookup tables
In the second video, you learn how to:
- Retrieve and analyze lookup table details using the
rest
command and the lookup table endpoint. - Organize the results to display fields such as the lookup name, app, owner, and last updated time.
- Audit and manage your lookup tables effectively by renaming columns for better readability.
Video 3: Dashboards
In the third video, you learn how to:
- Retrieve details about dashboards using the
rest
command and the dashboard endpoint. - Display fields such as the dashboard title, app, owner, sharing permissions, and XML definitions for troubleshooting or customization.
- Refine the results to focus on local instances in distributed environments by using
splunk_server=local
.
Next steps
These resources might help you understand and implement this guidance:
- Docs: Rest command