Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk SOAR
- :
- SOAR Cloud - Bulk Delete Containers through API?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey all,
I'm trying to find a way to bulk delete containers via the API in SOAR Cloud.
Had an issue where Splunk created ~8000 containers to one of my labels when testing, and no way am i going to sit here for an hour deleting them in the GUI.
I've read this post: How-to-Delete-Multiple-container but that really only points me to the single requests.delete option - which is very slow.
I can bulk update containers to change the status using requests.post and a list of container id's, but don't see any way to bulk delete.
For context a for loop + requests.delete on each single container is actually slower than deleting them via the GUI.
Am I missing it somewhere, or is this just not possible through API?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only just thought to check dev tools on my browser when deleting multiple containers, and yep - there is a way to pass the data so that it deletes multiple.
curl -X DELETE -H 'Content-Tpe: application/json' -H "ph-auth-token: <token>" -d "{'ids': [1234, 1235, 1236, 1237]}"
(might need to slightly play around with this curl statement, as i haven't tried it.
And in Python it would look something like this.
data = {"ids": [1234, 12345, 1236, 1237]}
requests.delete("https://<soar_base_url_here>/container/"), headers={"ph-auth-token": "<some_token_here>"}, data=json.dumps(data), verify=False)
Enjoy!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only just thought to check dev tools on my browser when deleting multiple containers, and yep - there is a way to pass the data so that it deletes multiple.
curl -X DELETE -H 'Content-Tpe: application/json' -H "ph-auth-token: <token>" -d "{'ids': [1234, 1235, 1236, 1237]}"
(might need to slightly play around with this curl statement, as i haven't tried it.
And in Python it would look something like this.
data = {"ids": [1234, 12345, 1236, 1237]}
requests.delete("https://<soar_base_url_here>/container/"), headers={"ph-auth-token": "<some_token_here>"}, data=json.dumps(data), verify=False)
Enjoy!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just wrote a quick script to handle it, using multiprocessing.
If you want to use it, just be careful how many API requests you are sending to your SOAR instance, and that it can handle it. Use at your own risk.
import requests
import multiprocessing
headers = {"ph-auth-token": "<some auth token here>"}
label = "<some label here>"
soar_base_url = "https://<replace_me.with.soar.url>"
# A function to for multiprocessing
def delete_container(container_id):
requests.delete("{}/container/{}".format(soar_base_url, container_id), headers=headers, verify=False)
print(container_id, " - Deleted")
# This is an example search that will get 50 Events from a label that are in the "new" status
# It will then sort them in ascending order (oldest to newset)
res = requests.get("{}/container/?page=0&page_size=50&sort=id&order=asc&_filter_label__in=['{}']&_filter_status__name='new'".format(soar_base_url, label), headers=headers, verify=False)
container_ids = [container_id["id"] for container_id in res.json()["data"]]
for container_id in container_ids:
p = multiprocessing.Process(target=delete_container, args=(container_id,))
p.start()
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
