Building for the Splunk Platform

Why can't I delete kvstore collections using the REST API via Python?

pembleton
Path Finder

I'm trying to delete kvstore collection using REST API via Python:

url = "https://localhost:8089/servicesNS/nobody/myapp/storage/collections/config/deleteme"
request = urllib2.Request(url, headers = {"Authorization" : "Splunk "})
request.get_method = lambda: "DELETE"
results = urllib2.urlopen(request)

This returns HTTP Error 400: Bad request.

The code works for other kvstore functions (when changing the URL) such as deleting collection's data, and I used the correct URL according to the documentation so I can't figure out why this doesn't work.

dsmc_adv
Path Finder

I cannot delete either. I get an error:

curl -k -s -u admin:changeme https://localhost:8089/servicesNS/nobody/myapp/storage/collections/config/test_collection_collection -X DELETE

<msg type="ERROR">Object id=test_collection_collection cannot be deleted in config=collections.</msg>
0 Karma

awurster
Contributor

i found this frustrating too. you actually have to POST the option as shown in the CURL examples in the docs.

the way i do it is using splunk's rest.simpleRequest method. strangely, i always seem to misplace the link for the SDK, but here's an example:
http://answers.splunk.com/answers/144000/modifying-acl-saved-search-permissions-through-rest-api-usi...

it's not ideal - but perhaps you could first retrieve all the data points in that collection, and then iteratively delete them?

query_uri = '/servicesNS/nobody/<app>/storage/collections/data/<kvstore>'
serverResponse, serverContent = rest.simpleRequest(query_uri, sessionKey=sessionKey)
for result in serverContent:
removal_uri = '/servicesNS/nobody/<app>/storage/collections/data/<kvstore>/%s' % result['_key']
    serverResponse, serverContent = rest.simpleRequest(removal_uri, sessionKey=sessionKey, method='DELETE')

maybe you can also leverage one of the answers from my similar question:
https://answers.splunk.com/answers/237859/can-i-delete-all-data-from-a-kv-store-at-once.html

0 Karma

ineeman
Splunk Employee
Splunk Employee

What happens if you make the same request using curl? Also, likely there is some output together with the 400 status code - can you post it here?

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...