Getting Data In

How to create or update UI view using rest api

sridamg
Explorer

How to create or update UI view using rest api?

Is it possible to create/update a splunk view using data/ui/views endpoint. If yes, then what are parameters that this endpoint takes.
I am hoping that if saved/searches endpoint has necessary parameters/options to create/modify a saved search then there should be similar options available for data/ui/views so that I can create/update the splunk views.
I am not using python, I would need the rest endpoint and the parameters so that I can call them from a dot net/java or any other applications.

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

This is rather a large topic. Can you narrow down your question? My guess is that the ideal form of this question is more "how can I learn everything I need to know, in order to tinker with updating views from the rest api", or "are there good examples of things that update views from the rest API?".

The Sideview Editor springs to mind as a fully functional example, but there's a lot of power in there and that means it's not the simplest example. The Sideview Editor is packaged inside Sideview Utils, and while the free licensing doesn't technically allow you to reverse engineer the code and use it in your own products, I don't mind people taking a look at it for educational purposes.

Going the other way, reading and writing the XML is a matter of talking to the data/ui/views endpoint. If you're going from python this is often but not always done using Splunk's Entity class - for example en.getEntity('data/ui/views', view, namespace=app)

and as far as the modifying part, you'll just use your XML library of choice. In python this is usually ElementTree or lxml depending on preference.

View solution in original post

markbarber21
Path Finder

Splunk has provided a simple example in the form or a Curl Statement

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/ui/views -d "name=new_dashboard&eai:data=<dashboard><label>the_new_label</label></dashboard>"

Taken from: http://docs.splunk.com/Documentation/Splunk/7.2.0/RESTREF/RESTknowledge#data.2Fui.2Fviews

0 Karma

sideview
SplunkTrust
SplunkTrust

This is rather a large topic. Can you narrow down your question? My guess is that the ideal form of this question is more "how can I learn everything I need to know, in order to tinker with updating views from the rest api", or "are there good examples of things that update views from the rest API?".

The Sideview Editor springs to mind as a fully functional example, but there's a lot of power in there and that means it's not the simplest example. The Sideview Editor is packaged inside Sideview Utils, and while the free licensing doesn't technically allow you to reverse engineer the code and use it in your own products, I don't mind people taking a look at it for educational purposes.

Going the other way, reading and writing the XML is a matter of talking to the data/ui/views endpoint. If you're going from python this is often but not always done using Splunk's Entity class - for example en.getEntity('data/ui/views', view, namespace=app)

and as far as the modifying part, you'll just use your XML library of choice. In python this is usually ElementTree or lxml depending on preference.

piebob
Splunk Employee
Splunk Employee

i took the liberty of copying sridamg's clarification of the question into the question itself, for the benefit of future users.

0 Karma

deanilol
Explorer

Looking for an answer on this!

doing the cURL command:
$ curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/search/data/ui/views/_new -d "eai:data=" -d name=

gives:
Argument "eai:data" is not supported by this handler

0 Karma

jreuter_splunk
Splunk Employee
Splunk Employee

To create a new dashboard named "newdash":

curl -ku admin:changeme https://localhost:8089/servicesNS/admin/search/data/ui/views/ -d 'name=newdash' -d 'eai:data=<put your xml here>'

To edit an existing dashboard with the name "newdash":

curl -ku admin:changeme https://localhost:8089/servicesNS/nobody/search/data/ui/views/newdash -d 'eai:data=<put your xml here>'

Take a look at the keys that are returned from the endpoint, that should give you a pretty good idea of what you can change.

http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#data.2Fui.2Fviews.2F.7Bname...

0 Karma

sideview
SplunkTrust
SplunkTrust

Well it's quite different from posting to the savedsearches endpoint. For one thing the views entity only has really the "eai:data" property, which is a large XML string. The client really has to know all the legal values of that XML string, meaning posting invalid XML or slightly-invalid syntax will just give you a non-functional view. Also the URL to hit depends on whether the view is shared.

It appears to be totally absent from the REST API docs, but for what it's worth the URL would be as follows:
/servicesNS/nobody/<app_name>/data/ui/views/<view_name>

0 Karma

sridamg
Explorer

Thanks for your answer. Let me clarify my question.
Is it possible to create/update a splunk view using data/ui/views endpoint. If yes, then what are parameters that this endpoint takes.
I am hoping that if saved/searches endpoint has necessary parameters/options to create/modify a saved search then there should be similar options available for data/ui/views so that I can create/update the splunk views.
I am not using python, I would need the rest endpoint and the parameters so that I can call them from a dot net/java or any other applications.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...