Skip to main content
 
 
Splunk Lantern

Using the rest command to work with data from REST API endpoints

 

You're looking to use the rest command to retrieve and analyze key Splunk Enterprise Security data from Splunk REST API endpoints, giving you access to a wealth of system data directly from the search bar.

Solution

This three-part video series shows you how to use the rest command to uncover valuable insights about correlation searches, lookup tables, and dashboards in your Splunk Enterprise Security environment.

Video 1: Correlation searches

In the first video, you learn how to:

  • Use the rest command to retrieve details about enabled correlation searches.
  • Filter results to show only active searches by matching specific fields like action.correlationsearch.enabled and excluding explicitly disabled searches.
  • Generate a list of operational correlation searches to better understand your environment.

Video 2: Lookup tables

In the second video, you learn how to:

  • Retrieve and analyze lookup table details using the rest command and the lookup table endpoint.
  • Organize the results to display fields such as the lookup name, app, owner, and last updated time.
  • Audit and manage your lookup tables effectively by renaming columns for better readability.

Video 3: Dashboards

In the third video, you learn how to:

  • Retrieve details about dashboards using the rest command and the dashboard endpoint.
  • Display fields such as the dashboard title, app, owner, sharing permissions, and XML definitions for troubleshooting or customization.
  • Refine the results to focus on local instances in distributed environments by using splunk_server=local.

Next steps

These resources might help you understand and implement this guidance: