Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can eventtypes for specific users be disabled via the REST API?

jllewellyn4847
New Member
‎09-21-2016 09:28 AM

I'd like to disable eventtypes via the REST API. These eventtypes could be owned by a variety of users, but I want to make my API calls with a single user. According to the Splunk API docs, the correct way to do this is to POST to /services/saved/eventtypes/ with disabled=1. This works fine when making the API call as the user that owns the event type, however, if I make the same call as a different user, it creates a disabled duplicate eventtype with the same name, owned by the user that made the API call. The original eventtype remains enabled.

So, when updating/disabling an eventtype via the API, is there any way to specify the owner of that eventtype in the POST? Or is there a way to ensure that the API call will operate on the existing eventtype regardless of the owner, instead of creating a new eventtype?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-21-2016 02:26 PM

Try this REST API endpoint for updating user specific event types (example with curl)

curl -k -u admin:pass https://yoursplunkserver:mgmtport/servicesNS/usernameHere/appnameHere/saved/eventtypes/eventtypename... -d disabled=1

Update the admin, pass, yoursplunkserver, mgmtport, usernameHere, appnameHere and eventtypenameHere per your environment.

Update

Try this. Seems to be working for me.

curl -X POST -k -u admin:pass https://yoursplunkserver:mgmtport/servicesNS/nobody/appnameHere/saved/eventtypes/eventtypenameHere/d...

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-21-2016 02:26 PM

Try this REST API endpoint for updating user specific event types (example with curl)

curl -k -u admin:pass https://yoursplunkserver:mgmtport/servicesNS/usernameHere/appnameHere/saved/eventtypes/eventtypename... -d disabled=1

Update the admin, pass, yoursplunkserver, mgmtport, usernameHere, appnameHere and eventtypenameHere per your environment.

Update

Try this. Seems to be working for me.

curl -X POST -k -u admin:pass https://yoursplunkserver:mgmtport/servicesNS/nobody/appnameHere/saved/eventtypes/eventtypenameHere/d...
Reply
Solved! Jump to solution

jllewellyn4847
New Member
‎09-22-2016 09:07 AM

Thanks for the answer somesoni2, however that doesn't appear to work. The API call succeeds, but it still creates a duplicate eventtype. The duplicate is owned by the user provided in the URL at instead of the API user like before, but it's still not updating the existing eventtype.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-22-2016 09:35 AM

Give the updated answer a try.

0 Karma
Reply
Solved! Jump to solution

jllewellyn4847
New Member
‎09-22-2016 02:44 PM

That works for me. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...