I'd like to disable eventtypes via the REST API. These eventtypes could be owned by a variety of users, but I want to make my API calls with a single user. According to the Splunk API docs, the correct way to do this is to POST to /services/saved/eventtypes/ with disabled=1. This works fine when making the API call as the user that owns the event type, however, if I make the same call as a different user, it creates a disabled duplicate eventtype with the same name, owned by the user that made the API call. The original eventtype remains enabled.
So, when updating/disabling an eventtype via the API, is there any way to specify the owner of that eventtype in the POST? Or is there a way to ensure that the API call will operate on the existing eventtype regardless of the owner, instead of creating a new eventtype?
Try this REST API endpoint for updating user specific event types (example with curl)
curl -k -u admin:pass https://yoursplunkserver:mgmtport/servicesNS/usernameHere/appnameHere/saved/eventtypes/eventtypename... -d disabled=1
Update the admin, pass, yoursplunkserver, mgmtport, usernameHere, appnameHere and eventtypenameHere per your environment.
Try this. Seems to be working for me.
curl -X POST -k -u admin:pass https://yoursplunkserver:mgmtport/servicesNS/nobody/appnameHere/saved/eventtypes/eventtypenameHere/d...
Thanks for the answer somesoni2, however that doesn't appear to work. The API call succeeds, but it still creates a duplicate eventtype. The duplicate is owned by the user provided in the URL at instead of the API user like before, but it's still not updating the existing eventtype.