REST Search

To do a search, an HTTP GET is made to /rest/search.

Syntax 

https://<username>:<password>@<host>/rest/search

GET

Search query

Request parameters

The endpoint accepts the following parameters.

QueryRequiredThe query to be searched
categoriesoptionalComma separated list of categories to search. Valid categories follow:
  • container
  • artifact
  • asset
  • app
  • action
  • playbook
  • docs

If categories are not provided, the query will be searched across all of them.

tenantoptionalId of the tenant for whom you want to filter search results.
pageoptionalPositive integer. Returned results are paginated. This parameter requests a specific page.
page_sizeoptionalPositive integer. Returned results are paginated. This parameter determines how many results returned per-page. Use "0" for all results.

Example request

Search query for 'maxmind' in the 'app' and 'docs' categories. 

curl -k -u username:password https://localhost/rest/search?query=maxmind&categories=app,docs -G -X GET

Example response

A successful GET will return back a JSON formatted list of key names and data. 

{
    count: 10,
    num_pages: 1,
    results: [
        {
            url: "https://10.1.16.99/docs/app_reference/maxmind_c566e153-3118-4033-abda-14dd9748c91a",
            category: "app",
            verbose: "App",
            match: {
                message: ""
            }
        },
        {
            url: "https://10.1.16.99/docs/rest/search",
            category: "docs",
            verbose: "Documentation",
            match: {
                message: ""
            }
        },
        {
            url: "https://10.1.16.99/docs/automation/playbooks",
            category: "docs",
            verbose: "Documentation",
            match: {
                message: ""
            }
        },
        .
        .
        .
    ]
}

The return values of note follow:

Field Description
urlThe url at which the matching search result is located
category The category that the search result belongs to. Category could be one of the following:
  • container
  • artifact
  • asset
  • app
  • action
  • playbook
  • docs
match The content that actually matched in the search result. This is a dictionary where the key is the field where the match was found. In Splunk Phantom versions before 4.0, the 'match' field used to return the search term used. In 4.0, it is empty.
verbose Verbose description of the category in which the match was found.