Modify event types via API (curl) - Splunk Community

Getting Data In

I'm trying to script something out to create an event type and then set the permissions on it. I've got the creation down just fine:

curl -s -k -H "Authorization: Splunk <authstring>" https://splunksearch:8089/servicesNS/nobody/search/saved/eventtypes -d name=SA-1234 -d search='"host=web01*"' -d tags=alert-shop

However, I'm unable to set the permissions using the above URI. Scouring through the documentation it seems I need to slap the acl of the object via:

curl -s -k -H "Authorization: Splunk <authstring>" https://splunksearch:8089/servicesNS/nobody/search/saved/eventtypes/SA-1234/acl -d perms.read=* -d perms.write=admin,power -d sharing=app"

However, the API returns the following :

<msg type="ERROR">In handler &apos;eventtypes&apos;: Argument &quot;perms.read&quot; is not supported by this handler.</msg>

If I remove perms.read it will just complain about another (e.g. sharing=app). How do I properly set the permissions via the API in Splunk 4.3.2?

Never mind... I'm a moron.

You do slap the /acl handler. I had a problem with one of my variable.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...