Splunk ITSI

How to disable an ITSI service using REST API

damianokuen
Explorer

Using the WebTools App from Splunkbase, I've issued the following API calls to modify the 'Service' object attribute 'Enabled' to 0. I get a 200 response but the targeted service remains enabled.

Examples of the API calls issued:

| eval header="{\"Content-type\":\"application/json\"}"
| eval data="{\"Enabled\": 0}"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714fc5f536f/?is_partial_data=1 splunkauth=true debug=true headerfield=header datafield=data

| eval header="{\"Content-type\":\"application/json\"}"
| eval data="Enabled=0"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714fc5f536f/?is_partial_data=1 splunkauth=true debug=true headerfield=header datafield=data

To confirm the ITSI service 'enabled' state, I issue the following GET query:

| eval header="{\"Content-Type\":\"application/json\"}"
| curl method=get uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714fc5f536f splunkauth=true debug=true headerfield=header
| spath input=curl_message
| fields key object_type enabled permissions.user mod_source mod_timestamp

Output:

The mod_source and mod_timestamp coincide with my API 'disable' attempt.

alt text

I appreciate any guidance or corrections. Thank you!

Labels (1)
0 Karma
1 Solution

damianokuen
Explorer

A grateful shout out to my awesome Splunk Sales Manager, who connected me to the right ITOA support and Michael Bentley who developed this great app,"Webtools Add-on" https://splunkbase.splunk.com/app/4146/#/details, available on Splunkbase. I appreciate Michael actively supports this app and responded quickly to my email with guidance.

Solution:

  1. First, generate and stream a single result to properly eval the 'data' field for use in my curl command
  2. Second, I need to add the _key field to my API POST command payload; the _key is the ITSI 'serviceid' value
  3. Third, the ITSI REST API 'service' object's attribute is all lower case, 'enabled' vs. errant 'Enabled' described in the ITSI REST API Schema documentation https://docs.splunk.com/Documentation/ITSI/4.4.2/RESTAPI/ITSIRESTAPIschema#Service,
  4. Finally, remove the "/" (forward slash) at the end of the uri, between the serviceid and ?is_partial_data=1

Putting it all together, these steps solved my problem and I can enable and disable ITSI services using the REST API interface:

Step 1

index=_internal
| head 1


Step 2 and 3

| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"_key\":\"dc3b486e-2ec5-4f09-9dab-3714fc5f536f\"}"


Step 4

/service/dc3b486e-2ec5-4f09-9dab-3714fc5f53 '6f?is' _partial_data=1

| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714... splunkauth=true debug=true headerfield=header datafield=data


Example of a functional SPL query to disable an ITSI service (change the value to 1 in eval of 'data' to enable an ITSI service):

index=_internal
| head 1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"_key\":\"dc3b486e-2ec5-4f09-9dab-3714fc5f536f\"}"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714... splunkauth=true debug=true headerfield=header datafield=data

View solution in original post

damianokuen
Explorer

A grateful shout out to my awesome Splunk Sales Manager, who connected me to the right ITOA support and Michael Bentley who developed this great app,"Webtools Add-on" https://splunkbase.splunk.com/app/4146/#/details, available on Splunkbase. I appreciate Michael actively supports this app and responded quickly to my email with guidance.

Solution:

  1. First, generate and stream a single result to properly eval the 'data' field for use in my curl command
  2. Second, I need to add the _key field to my API POST command payload; the _key is the ITSI 'serviceid' value
  3. Third, the ITSI REST API 'service' object's attribute is all lower case, 'enabled' vs. errant 'Enabled' described in the ITSI REST API Schema documentation https://docs.splunk.com/Documentation/ITSI/4.4.2/RESTAPI/ITSIRESTAPIschema#Service,
  4. Finally, remove the "/" (forward slash) at the end of the uri, between the serviceid and ?is_partial_data=1

Putting it all together, these steps solved my problem and I can enable and disable ITSI services using the REST API interface:

Step 1

index=_internal
| head 1


Step 2 and 3

| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"_key\":\"dc3b486e-2ec5-4f09-9dab-3714fc5f536f\"}"


Step 4

/service/dc3b486e-2ec5-4f09-9dab-3714fc5f53 '6f?is' _partial_data=1

| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714... splunkauth=true debug=true headerfield=header datafield=data


Example of a functional SPL query to disable an ITSI service (change the value to 1 in eval of 'data' to enable an ITSI service):

index=_internal
| head 1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"_key\":\"dc3b486e-2ec5-4f09-9dab-3714fc5f536f\"}"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714... splunkauth=true debug=true headerfield=header datafield=data

jkat54
SplunkTrust
SplunkTrust

Happy to help!

Please let me know if you develop any more use cases. I like to keep track of how my apps are being used.

Thanks in advance!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Have you tried using a software proxy like teleriks fiddler to see what happens in the POST when you click disable in the UI?

0 Karma

damianokuen
Explorer

I have not, thank you for the suggestion; I will give it a try.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...