Splunk IT Service Intelligence

Scripted option for deleting all entities in ITSI?

Splunk Employee
Splunk Employee

Does anyone have a script to automate deletion of entities in ITSI?

0 Karma
1 Solution

Path Finder

In 3.0.2, entities are stored in the itsi_services KV store collection. I haven't used a later version of ITSI yet. Entities have _type=entity. You can see all objects via REST with e.g.:

curl -k -u username:password https://localhost:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services

After you've identified the _key values to delete, you can delete objects with

curl -X DELETE -k -u username:password https://localhost:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services/$id

where $id is the _key value.

I use jq to parse JSON output and select objects for deletion from a shell. E.g. To write all entity identifiers to a file:

curl -s -k -u username:password https://localhost:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services | jq -r '.[] | select(._type == "entity") | ._key' > entities.txt

To delete all entities listed in the file:

while read id; do curl -X DELETE -k -u username:password "https://localhost:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services/$id"; done < entities.txt

View solution in original post

Path Finder

In 3.0.2, entities are stored in the itsi_services KV store collection. I haven't used a later version of ITSI yet. Entities have _type=entity. You can see all objects via REST with e.g.:

curl -k -u username:password https://localhost:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services

After you've identified the _key values to delete, you can delete objects with

curl -X DELETE -k -u username:password https://localhost:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services/$id

where $id is the _key value.

I use jq to parse JSON output and select objects for deletion from a shell. E.g. To write all entity identifiers to a file:

curl -s -k -u username:password https://localhost:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services | jq -r '.[] | select(._type == "entity") | ._key' > entities.txt

To delete all entities listed in the file:

while read id; do curl -X DELETE -k -u username:password "https://localhost:8089/servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_services/$id"; done < entities.txt

View solution in original post

Path Finder

It would be more prudent do to do this via ITSI rest interface instead of going direct to collection.

https://docs.splunk.com/Documentation/ITSI/4.0.0/RESTAPI/ITSIRESTAPIreference

By doing it from there you will be letting ITSI code know the entity is gone, not just deleting from DB... there may be other steps that will get executed like remove from base searches or something.

curl -k -u admin:password https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity/012ef858-8288-4e0e-872d-f4ddc... -X DELETE
0 Karma

Builder

Hi @ jluo [Splunk]

you can use itsi_entity.py file in /SA-ITOA/lib/itsi/objects
& itoa_object.py file in /SA-ITOA/lib/ITOA

to make a script which can perform actions for you.

Thanks

0 Karma

Splunk Employee
Splunk Employee

Do you have a more detailed example? I'm not the python expert and would need guidance on how to leverage those scripts.

Thanks

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!