Solved: Is there a search that I can use to delete or disa...

perrinj2 · ‎01-24-2019

I am using a recurring ad hoc search to generate ITSI services using a service template. I want to be able to automate a process to delete services that are no longer required. Can I set up a recurring process using CRON that deletes services that meet a certain criteria — e.g., all services except that latest one or services older than a certain date/time. I'm using the inputs.conf file to define how the services are created.

Can I use this, or something similar, to delete or disable a service?

satokoji · ‎01-25-2019

How about making a script using ITOA Interface included in ITSI REST API?

The script process is like this:
1. GET "_key" field of all target services(API : itoa_interface/service )
2. GET "create_time" field of each service title(API : itoa_interface/service/_key )
3. DELETE older services(API : itoa_interface/service/_key -X DELETE )

Check ITSI REST API reference

View solution in original post

satokoji · ‎01-25-2019

How about making a script using ITOA Interface included in ITSI REST API?

The script process is like this:
1. GET "_key" field of all target services(API : itoa_interface/service )
2. GET "create_time" field of each service title(API : itoa_interface/service/_key )
3. DELETE older services(API : itoa_interface/service/_key -X DELETE )

Check ITSI REST API reference

skoelpin · ‎01-25-2019

I second this.. Use the API

Is there a search that I can use to delete or disable a Splunk IT Service Intelligence (ITSI) service?

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk