Splunk IT Service Intelligence
Highlighted

How to disable an ITSI service using REST API

Explorer

Using the WebTools App from Splunkbase, I've issued the following API calls to modify the 'Service' object attribute 'Enabled' to 0. I get a 200 response but the targeted service remains enabled.

Examples of the API calls issued:

| eval header="{\"Content-type\":\"application/json\"}"
| eval data="{\"Enabled\": 0}"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714fc5f536f/?is_partial_data=1 splunkauth=true debug=true headerfield=header datafield=data

| eval header="{\"Content-type\":\"application/json\"}"
| eval data="Enabled=0"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714fc5f536f/?is_partial_data=1 splunkauth=true debug=true headerfield=header datafield=data

To confirm the ITSI service 'enabled' state, I issue the following GET query:

| eval header="{\"Content-Type\":\"application/json\"}"
| curl method=get uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714fc5f536f splunkauth=true debug=true headerfield=header
| spath input=curl_message
| fields key object_type enabled permissions.user mod_source mod_timestamp

Output:

The modsource and modtimestamp coincide with my API 'disable' attempt.

alt text

I appreciate any guidance or corrections. Thank you!

Labels (1)
0 Karma

Re: How to disable an ITSI service using REST API

SplunkTrust
SplunkTrust

Have you tried using a software proxy like teleriks fiddler to see what happens in the POST when you click disable in the UI?

0 Karma
Highlighted

Re: How to disable an ITSI service using REST API

Explorer

I have not, thank you for the suggestion; I will give it a try.

0 Karma
Highlighted

Re: How to disable an ITSI service using REST API

Explorer

A grateful shout out to my awesome Splunk Sales Manager, who connected me to the right ITOA support and Michael Bentley who developed this great app,"Webtools Add-on" https://splunkbase.splunk.com/app/4146/#/details, available on Splunkbase. I appreciate Michael actively supports this app and responded quickly to my email with guidance.

Solution:

  1. First, generate and stream a single result to properly eval the 'data' field for use in my curl command
  2. Second, I need to add the _key field to my API POST command payload; the _key is the ITSI 'serviceid' value
  3. Third, the ITSI REST API 'service' object's attribute is all lower case, 'enabled' vs. errant 'Enabled' described in the ITSI REST API Schema documentation https://docs.splunk.com/Documentation/ITSI/4.4.2/RESTAPI/ITSIRESTAPIschema#Service,
  4. Finally, remove the "/" (forward slash) at the end of the uri, between the serviceid and ?ispartialdata=1

Putting it all together, these steps solved my problem and I can enable and disable ITSI services using the REST API interface:

Step 1

index=_internal
| head 1


Step 2 and 3

| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"_key\":\"dc3b486e-2ec5-4f09-9dab-3714fc5f536f\"}"


Step 4

/service/dc3b486e-2ec5-4f09-9dab-3714fc5f53 '6f?is' partialdata=1

| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714... splunkauth=true debug=true headerfield=header datafield=data


Example of a functional SPL query to disable an ITSI service (change the value to 1 in eval of 'data' to enable an ITSI service):

index=internal
| head 1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"
key\":\"dc3b486e-2ec5-4f09-9dab-3714fc5f536f\"}"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714... splunkauth=true debug=true headerfield=header datafield=data

View solution in original post

Highlighted

Re: How to disable an ITSI service using REST API

SplunkTrust
SplunkTrust

Happy to help!

Please let me know if you develop any more use cases. I like to keep track of how my apps are being used.

Thanks in advance!

0 Karma