Getting Data In

How to manage data models with REST endpoints?

guilmxm
SplunkTrust
SplunkTrust

Hello,

I am trying to find the way to manage datamodels using REST endpoints:

http://docs.splunk.com/Documentation/Splunk/6.3.1/RESTREF

May main objectives are:

  • Launch datamodel rebuild operations from custom scheduled scripts (creating some admin scripts that would speak to splunkd and launch the acceleration rebuild)

  • Monitor datamodel acceleration states and alert under a few conditions (example: the datamodel acceleration state differs from 100% accelerated, a defined datamodel acceleration has been deactivated...)

I have found some related post in Splunkbase, like:

https://answers.splunk.com/answers/326499/how-can-i-programmatically-monitor-data-model-acce.html

Unfortunately, I couldn't find a REST endpoint that initiates a datamodel acceleration rebuild.

Then, why does the rest endpoint:

| rest /services/data/models

Seem to unable to retrieve datamodel information as long as it not globally shared? (in our case for example, very few datamodels are globally shared, most are shared only at the app level)

Any help will be appreciated 🙂

Guilhem

0 Karma
1 Solution

dturnbull_splun
Splunk Employee
Splunk Employee

Try the namespaced version:

| rest /servicesNS/<user>/<app>/data/models

View solution in original post

dturnbull_splun
Splunk Employee
Splunk Employee

Try the namespaced version:

| rest /servicesNS/<user>/<app>/data/models

guilmxm
SplunkTrust
SplunkTrust

Great ! Thank you, that works, i can retrieve datamodels information in the namedspaced.

Do you know if the endpoints can received POST request to initiate the datamodel acceleration to be rebuilt ?

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you use a program like Fidler, you can open fidler, then go to the part in splunk web ui that has the "rebuild acceleration" link, start fidler's capture, click the link... stop the capture. Then read through the web requests in fidler to figure out how the webui does it.

Then mimic that behavior. Please mare dturnbull's response as the answer to your question, because it is, and if you find my reply about your rebuild issue acceptable, upvote my comment to spread the love. Cheers!

I assume it does 2 posts... one to disable the current acceleration, and then another to enable it again.

http://docs.splunk.com/Documentation/Splunk/6.0.5/RESTAPI/RESTknowledge#POST_datamodel.2Fmodel

guilmxm
SplunkTrust
SplunkTrust

Great suggestion thank you 😉
I will try that and revert !

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...