Getting Data In

What is the best practice for providing full CRUD (Create, Read, Update, & Delete) UI features for Splunk conf files with a third party application for Splunk?

jeffrey_berry
Path Finder

Can someone point me to the best practice for providing full CRUD (Create, Read, Update, & Delete) UI features ffor Splunk conf files with a third party application for Splunk? (with emphasis on the Delete part of the CRUD acronym)

I have searched the Splunk websites (answers, docs, etc.) and reviewed apps from splunkbase, but the design model that allows full CRUD control of a conf file, stanza, and key/value pair with the REST API alludes me (or some needed REST API features do not exist). Based on the REST API reference for Configuration endpoints, endpoints exist to create, read, and update a conf file, stanza, and key/value pair local folder conf file, but no endpoints exist to delete a conf file or key/value pair in the local folder. The endpoint to delete a stanza works for a local folder stanza created through the REST API, but a local folder stanza cannot be deleted if it exists in the conf file of the default folder also (see error below).

Error received to delete a stanza that exists in the local and default conf files
Object id=stanza_name cannot be deleted in config=conf_file_name.

The documentation in the following urls were used to verify that fully functional configuration deletion endpoints do not exist

REST API Reference Manual - Configuration endpoint descriptions
https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTREF/RESTconf

REST API Tutorials - Accessing and updating Splunk Enterprise configurations
https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTconfigurations

With the Splunk configuration file precedence concept, I would guess that fully functional delete endpoints should exist to allow deletion of a conf file, stanza, and key/value pair in a local folder. If deletion is considered dangerous for the local folders of the Splunk application itself, deletion endpoints should exist for the local folder of a third party app to allow an app to conform to the configuration file precedence concept. An example use case is a button on an app's UI to delete a local folder conf file which would revert the conf file settings to the conf file in the default folder. Or maybe I am just missing a keypoint(s) on managing the configuration within Splunk with a CRUD UI.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...