Getting Data In

How to manage data models with REST endpoints?

guilmxm
Influencer

Hello,

I am trying to find the way to manage datamodels using REST endpoints:

http://docs.splunk.com/Documentation/Splunk/6.3.1/RESTREF

May main objectives are:

  • Launch datamodel rebuild operations from custom scheduled scripts (creating some admin scripts that would speak to splunkd and launch the acceleration rebuild)

  • Monitor datamodel acceleration states and alert under a few conditions (example: the datamodel acceleration state differs from 100% accelerated, a defined datamodel acceleration has been deactivated...)

I have found some related post in Splunkbase, like:

https://answers.splunk.com/answers/326499/how-can-i-programmatically-monitor-data-model-acce.html

Unfortunately, I couldn't find a REST endpoint that initiates a datamodel acceleration rebuild.

Then, why does the rest endpoint:

| rest /services/data/models

Seem to unable to retrieve datamodel information as long as it not globally shared? (in our case for example, very few datamodels are globally shared, most are shared only at the app level)

Any help will be appreciated 🙂

Guilhem

0 Karma
1 Solution

dturnbull_splun
Splunk Employee
Splunk Employee

Try the namespaced version:

| rest /servicesNS/<user>/<app>/data/models

View solution in original post

dturnbull_splun
Splunk Employee
Splunk Employee

Try the namespaced version:

| rest /servicesNS/<user>/<app>/data/models

guilmxm
Influencer

Great ! Thank you, that works, i can retrieve datamodels information in the namedspaced.

Do you know if the endpoints can received POST request to initiate the datamodel acceleration to be rebuilt ?

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you use a program like Fidler, you can open fidler, then go to the part in splunk web ui that has the "rebuild acceleration" link, start fidler's capture, click the link... stop the capture. Then read through the web requests in fidler to figure out how the webui does it.

Then mimic that behavior. Please mare dturnbull's response as the answer to your question, because it is, and if you find my reply about your rebuild issue acceptable, upvote my comment to spread the love. Cheers!

I assume it does 2 posts... one to disable the current acceleration, and then another to enable it again.

http://docs.splunk.com/Documentation/Splunk/6.0.5/RESTAPI/RESTknowledge#POST_datamodel.2Fmodel

guilmxm
Influencer

Great suggestion thank you 😉
I will try that and revert !

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...