Getting Data In

Create View with REST?

nathankc
Engager

version 5.0.2

Looking through the documentation, but nothing is jumping out at me as to how to create a View for an app dynamically via REST or C# SDK. I'll be creating the XML on the fly and would like to send it to Splunk programatically as opposed to copy / paste through the user interface.

Thanks - sorry if this is a ridiculous question.

Tags (3)
1 Solution

sideview
SplunkTrust
SplunkTrust

You're not crazy. For some reason the /data/ui/views endpoint is missing from the REST API reference.

It's simple though. With views there are only 2 relevant properties to get/set: "name", which ends up being the filename on disk as well as the URL segment, and eai:data, which is the XML string.

To give an example off the top of my head, to add a system-owned view called "myView" to "myApp" just POST to

/servicesNS/nobody/myApp/data/ui/views/_new

and pass "name" set to "myView", and "eai:data" set to the desired XML. As with other namespaced REST calls, you would set permissions and ownership by incorporating usernames in URL as appropriate and setting the "eai:acl" property as appropriate in your POST.

View solution in original post

fman82
Explorer

Am I missing something here. I submit eai:data and I get:

In handler 'views':
Argument "eai:data" is not supported
by this handler.

The curl I'm running is:

curl -v -H "Content-Type: application/xml" -X POST -d name=test00013210 -d eai:data=%3Cdashboard%20%2F%3E  -u admin:changeme  -k hxxps://localhost:8091/servicesNS/admin/search/data/ui/views/_new

sideview
SplunkTrust
SplunkTrust

Tried it for myself and indeed, something about posting to the _new endpoint doesn't work here. I can't figure it out either. I can do a nice simple curl POST -d eai:data="<dashboard />" -u admin:changeme -k https://localhost:8089/servicesNS/admin/search/data/ui/views/existing_view_name and it works great.

But whenever I try anything to _new, I get that same error you're getting.

0 Karma

ganesh_crms
New Member

HI sideview,
how to get value of eai:data?

so in curl you mentioned "/admin/search/" here "search" is the app having the view?
And i am getting "Argument " name" is not supported by this handler."

0 Karma

deanilol
Explorer

Looking for an answer on this!

0 Karma

sideview
SplunkTrust
SplunkTrust

You're not crazy. For some reason the /data/ui/views endpoint is missing from the REST API reference.

It's simple though. With views there are only 2 relevant properties to get/set: "name", which ends up being the filename on disk as well as the URL segment, and eai:data, which is the XML string.

To give an example off the top of my head, to add a system-owned view called "myView" to "myApp" just POST to

/servicesNS/nobody/myApp/data/ui/views/_new

and pass "name" set to "myView", and "eai:data" set to the desired XML. As with other namespaced REST calls, you would set permissions and ownership by incorporating usernames in URL as appropriate and setting the "eai:acl" property as appropriate in your POST.

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...