Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best practice for providing full CRUD (Create, Read, Update, & Delete) UI features for Splunk conf files with a third party application for Splunk?

jeffrey_berry
Path Finder
‎02-04-2019 09:35 AM

Can someone point me to the best practice for providing full CRUD (Create, Read, Update, & Delete) UI features ffor Splunk conf files with a third party application for Splunk? (with emphasis on the Delete part of the CRUD acronym)

I have searched the Splunk websites (answers, docs, etc.) and reviewed apps from splunkbase, but the design model that allows full CRUD control of a conf file, stanza, and key/value pair with the REST API alludes me (or some needed REST API features do not exist). Based on the REST API reference for Configuration endpoints, endpoints exist to create, read, and update a conf file, stanza, and key/value pair local folder conf file, but no endpoints exist to delete a conf file or key/value pair in the local folder. The endpoint to delete a stanza works for a local folder stanza created through the REST API, but a local folder stanza cannot be deleted if it exists in the conf file of the default folder also (see error below).

Error received to delete a stanza that exists in the local and default conf files
Object id=stanza_name cannot be deleted in config=conf_file_name.

The documentation in the following urls were used to verify that fully functional configuration deletion endpoints do not exist

REST API Reference Manual - Configuration endpoint descriptions
https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTREF/RESTconf

REST API Tutorials - Accessing and updating Splunk Enterprise configurations
https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTconfigurations

With the Splunk configuration file precedence concept, I would guess that fully functional delete endpoints should exist to allow deletion of a conf file, stanza, and key/value pair in a local folder. If deletion is considered dangerous for the local folders of the Splunk application itself, deletion endpoints should exist for the local folder of a third party app to allow an app to conform to the configuration file precedence concept. An example use case is a button on an app's UI to delete a local folder conf file which would revert the conf file settings to the conf file in the default folder. Or maybe I am just missing a keypoint(s) on managing the configuration within Splunk with a CRUD UI.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...