After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
REST Search
To do a search, an HTTP GET is made to /rest/search
.
Syntax
https://<username>:<password>@<host>/rest/search
GET
Search query
Request parameters
The endpoint accepts the following parameters.
Query | Required | The query to be searched |
---|---|---|
categories | optional | Comma separated list of categories to search. Valid categories follow:
If categories are not provided, the query will be searched across all of them. |
tenant | optional | Id of the tenant for whom you want to filter search results. |
page | optional | Positive integer. Returned results are paginated. This parameter requests a specific page. |
page_size | optional | Positive integer. Returned results are paginated. This parameter determines how many results returned per-page. Use "0" for all results. |
Example request
Search query for 'maxmind' in the 'app' and 'docs' categories.
curl -k -u username:password https://localhost/rest/search?query=maxmind&categories=app,docs -G -X GET
Example response
A successful GET will return back a JSON formatted list of key names and data.
{ count: 10, num_pages: 1, results: [ { url: "https://10.1.16.99/docs/app_reference/maxmind_c566e153-3118-4033-abda-14dd9748c91a", category: "app", verbose: "App", match: { message: "" } }, { url: "https://10.1.16.99/docs/rest/search", category: "docs", verbose: "Documentation", match: { message: "" } }, { url: "https://10.1.16.99/docs/automation/playbooks", category: "docs", verbose: "Documentation", match: { message: "" } }, . . . ] }
The return values of note follow:
Field | Description |
---|---|
url | The url at which the matching search result is located |
category | The category that the search result belongs to. Category could be one of the following:
|
match | The content that actually matched in the search result. This is a dictionary where the key is the field where the match was found. In Splunk Phantom versions before 4.0, the 'match' field used to return the search term used. In 4.0, it is empty. |
verbose | Verbose description of the category in which the match was found. |
REST User Settings | REST Vault |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1
Feedback submitted, thanks!