Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why can't I delete kvstore collections using the REST API via Python?

pembleton
Path Finder
‎04-02-2015 03:19 AM

I'm trying to delete kvstore collection using REST API via Python:

url = "https://localhost:8089/servicesNS/nobody/myapp/storage/collections/config/deleteme"
request = urllib2.Request(url, headers = {"Authorization" : "Splunk "})
request.get_method = lambda: "DELETE"
results = urllib2.urlopen(request)

This returns HTTP Error 400: Bad request.

The code works for other kvstore functions (when changing the URL) such as deleting collection's data, and I used the correct URL according to the documentation so I can't figure out why this doesn't work.

Reply

dsmc_adv
Path Finder
‎02-01-2017 07:06 AM

I cannot delete either. I get an error:

curl -k -s -u admin:changeme https://localhost:8089/servicesNS/nobody/myapp/storage/collections/config/test_collection_collection -X DELETE

<msg type="ERROR">Object id=test_collection_collection cannot be deleted in config=collections.</msg>
0 Karma
Reply

awurster
Contributor
‎06-11-2015 09:14 PM

i found this frustrating too. you actually have to POST the option as shown in the CURL examples in the docs.

the way i do it is using splunk's rest.simpleRequest method. strangely, i always seem to misplace the link for the SDK, but here's an example:
http://answers.splunk.com/answers/144000/modifying-acl-saved-search-permissions-through-rest-api-usi...

it's not ideal - but perhaps you could first retrieve all the data points in that collection, and then iteratively delete them?

query_uri = '/servicesNS/nobody/<app>/storage/collections/data/<kvstore>'
serverResponse, serverContent = rest.simpleRequest(query_uri, sessionKey=sessionKey)
for result in serverContent:
removal_uri = '/servicesNS/nobody/<app>/storage/collections/data/<kvstore>/%s' % result['_key']
    serverResponse, serverContent = rest.simpleRequest(removal_uri, sessionKey=sessionKey, method='DELETE')

maybe you can also leverage one of the answers from my similar question:
https://answers.splunk.com/answers/237859/can-i-delete-all-data-from-a-kv-store-at-once.html

0 Karma
Reply

ineeman
Splunk Employee
Splunk Employee
‎04-02-2015 11:29 AM

What happens if you make the same request using curl? Also, likely there is some output together with the 400 status code - can you post it here?

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...