Splunk IT Service Intelligence

ITSI Maintenance Windows via REST using Web Tools Add-on

nickmew
Path Finder

Have being trying out @jkat54 's Web tool add-on to do some maintenance on ITSI objects with the ITSI REST api.

I've managed to do make some of the options work - like enabling and disabling services, but I'm stuck on creating maintenance windows.

Thanks to a few other answers (thanks @damianokuen and @kartikaykv1 ) I've managed to succesfully test enable / disabling a service - insert your own <serviceid> without the <> to try:

index=itsi_summary
| head 1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"_key\":\"<serviceid>\"}"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/<serviceid>?is_partial_data=1 splunkauth=true debug=false headerfield=header datafield=data

Using a standard command line curl I've managed to create a maintenance window (again use your own user / password / server / port / serviceid)

curl -k -u <user>:<password> https://<server>:<port>/servicesNS/nobody/SA-ITOA/maintenance_services_interface/maintenance_calendar -X POST -H "Content-Type:application/json" -d "{\"title\":\"TEST MW\",\"start_time\":1589715600,\"end_time\":1589719600,\"objects\":[{\"object_type\":\"service\",\"_key\":\"<serviceid>\"}]}

but trying to use this within SPL is failing :

index=itsi_summary
| head 1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"title\":\"TEST MW2\",\"start_time\":1589705600,\"end_time\":1589709600,\"objects\":[{\"object_type\":\"entity\",\"_key\":\"<serviceid>\"}]}"
| curl method=post uri=https://localhost:8089//servicesNS/nobody/SA-ITOA/maintenance_services_interface/maintenance_calendar splunkauth=true debug=false headerfield=header datafield=data

should be materially the same (barring changing the title so it doesn't duplicate the command line curl), but I get a failure

{"message":"(400, 'Objects specified must be a valid non-empty list. Must specify at least one object.')"}

I've tried a variety of ways of fiddling with syntax but just can't get it to work - I'm wondering whether the add-on doesn't work nicely with the nested array of objects you need to pass?

https://docs.splunk.com/Documentation/ITSI/4.6.1/RESTAPI/ITSIRESTAPIschema#Maintenance_Calendar

 

Labels (1)
Tags (3)

jkat54
SplunkTrust
SplunkTrust

Yeah, its something to do with SPL filter mechanisms and nested dictionaries in json.

Can you file a issue over on our github?

https://github.com/bentleymi/TA-webtools/issues

If you'll submit it with all the same details we will get to it as soon as we can.

0 Karma

nickmew
Path Finder

Thanks @jkat54 , I've have submitted on github.

Any idea what kind of turnaround is likely on these kind of things? Just so I know whether I need to find an alternate approach in the meantime. There's always people  asking for things yesterday 😀

 

jkat54
SplunkTrust
SplunkTrust

Im interested enough to spend some time on it tonight / tomorrow morning.

This is a common issue and we need to nail it down.

If you submit the issue on github i will share the "fame" with you  / give you "credit" for reporting the bug.  If things happen in my life (and they do often due to big family)... i might get distracted though.  So having the issue there serves as a reminder.

Thanks,
JKat54

Tags (1)
0 Karma

nickmew
Path Finder

Thanks for the enthusiasm, but don't kill yourself!

I'm trying to get a solution working using this by the back end of next week, so I've got some time to work an alternate if you don't find a fix, but would be much appreciated as it would save me stringing together a whole extra bag of bolts

jkat54
SplunkTrust
SplunkTrust

Lol, I'll do what I can!  Trying not to leave you holding a bag of bolts!

0 Karma

nickmew
Path Finder

Hiya, don't suppose you've got any further with this?

I've cludged some things up mostly by substituting some rolling update lookups rather than the real maintenance windows, but it isn't as effective for the rest of ITSI so would still like to be able to use this.

Tags (1)
0 Karma

jkat54
SplunkTrust
SplunkTrust

Have you tried escaping the square brackets too?

 

      \[{\"object_type\":\"entity\",\"_key\":\"<serviceid>\"}\]}"

maybe all the brackets

 

     \[\{\"object_type\":\"entity\",\"_key\":\"<serviceid>\"\}\]}"

0 Karma

nickmew
Path Finder

Hi, @jkat54 , thanks for getting back so quickly

Just tried escaping the [ ,  unfortunately just getting a different error message

{"message":"(400, 'Invalid title specified for the object_type: maintenance_calendar. Cannot be empty and cannot contain = \" or \\'.')"}

When I return the field in the SPL as data I can see it doesn't seem to want the [ escaped as if you do you see the \ in the field.

Similar when trying to escape all the brackets

Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...