Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Modify event types via API (curl)

nocostk
Communicator
‎05-22-2012 11:56 AM

I'm trying to script something out to create an event type and then set the permissions on it. I've got the creation down just fine:

curl -s -k -H "Authorization: Splunk <authstring>" https://splunksearch:8089/servicesNS/nobody/search/saved/eventtypes -d name=SA-1234 -d search='"host=web01*"' -d tags=alert-shop

However, I'm unable to set the permissions using the above URI. Scouring through the documentation it seems I need to slap the acl of the object via:

curl -s -k -H "Authorization: Splunk <authstring>" https://splunksearch:8089/servicesNS/nobody/search/saved/eventtypes/SA-1234/acl -d perms.read=* -d perms.write=admin,power -d sharing=app"

However, the API returns the following :

<msg type="ERROR">In handler &apos;eventtypes&apos;: Argument &quot;perms.read&quot; is not supported by this handler.</msg>

If I remove perms.read it will just complain about another (e.g. sharing=app). How do I properly set the permissions via the API in Splunk 4.3.2?

Tags (2)
Reply

nocostk
Communicator
‎05-22-2012 12:11 PM

Never mind... I'm a moron.

You do slap the /acl handler. I had a problem with one of my variable.

Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...