Splunk ITSI

How to disable an ITSI service using REST API

damianokuen
Explorer

Using the WebTools App from Splunkbase, I've issued the following API calls to modify the 'Service' object attribute 'Enabled' to 0. I get a 200 response but the targeted service remains enabled.

Examples of the API calls issued:

| eval header="{\"Content-type\":\"application/json\"}"
| eval data="{\"Enabled\": 0}"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714fc5f536f/?is_partial_data=1 splunkauth=true debug=true headerfield=header datafield=data

| eval header="{\"Content-type\":\"application/json\"}"
| eval data="Enabled=0"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714fc5f536f/?is_partial_data=1 splunkauth=true debug=true headerfield=header datafield=data

To confirm the ITSI service 'enabled' state, I issue the following GET query:

| eval header="{\"Content-Type\":\"application/json\"}"
| curl method=get uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714fc5f536f splunkauth=true debug=true headerfield=header
| spath input=curl_message
| fields key object_type enabled permissions.user mod_source mod_timestamp

Output:

The mod_source and mod_timestamp coincide with my API 'disable' attempt.

alt text

I appreciate any guidance or corrections. Thank you!

Labels (1)
0 Karma
1 Solution

damianokuen
Explorer

A grateful shout out to my awesome Splunk Sales Manager, who connected me to the right ITOA support and Michael Bentley who developed this great app,"Webtools Add-on" https://splunkbase.splunk.com/app/4146/#/details, available on Splunkbase. I appreciate Michael actively supports this app and responded quickly to my email with guidance.

Solution:

  1. First, generate and stream a single result to properly eval the 'data' field for use in my curl command
  2. Second, I need to add the _key field to my API POST command payload; the _key is the ITSI 'serviceid' value
  3. Third, the ITSI REST API 'service' object's attribute is all lower case, 'enabled' vs. errant 'Enabled' described in the ITSI REST API Schema documentation https://docs.splunk.com/Documentation/ITSI/4.4.2/RESTAPI/ITSIRESTAPIschema#Service,
  4. Finally, remove the "/" (forward slash) at the end of the uri, between the serviceid and ?is_partial_data=1

Putting it all together, these steps solved my problem and I can enable and disable ITSI services using the REST API interface:

Step 1

index=_internal
| head 1


Step 2 and 3

| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"_key\":\"dc3b486e-2ec5-4f09-9dab-3714fc5f536f\"}"


Step 4

/service/dc3b486e-2ec5-4f09-9dab-3714fc5f53 '6f?is' _partial_data=1

| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714... splunkauth=true debug=true headerfield=header datafield=data


Example of a functional SPL query to disable an ITSI service (change the value to 1 in eval of 'data' to enable an ITSI service):

index=_internal
| head 1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"_key\":\"dc3b486e-2ec5-4f09-9dab-3714fc5f536f\"}"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714... splunkauth=true debug=true headerfield=header datafield=data

View solution in original post

damianokuen
Explorer

A grateful shout out to my awesome Splunk Sales Manager, who connected me to the right ITOA support and Michael Bentley who developed this great app,"Webtools Add-on" https://splunkbase.splunk.com/app/4146/#/details, available on Splunkbase. I appreciate Michael actively supports this app and responded quickly to my email with guidance.

Solution:

  1. First, generate and stream a single result to properly eval the 'data' field for use in my curl command
  2. Second, I need to add the _key field to my API POST command payload; the _key is the ITSI 'serviceid' value
  3. Third, the ITSI REST API 'service' object's attribute is all lower case, 'enabled' vs. errant 'Enabled' described in the ITSI REST API Schema documentation https://docs.splunk.com/Documentation/ITSI/4.4.2/RESTAPI/ITSIRESTAPIschema#Service,
  4. Finally, remove the "/" (forward slash) at the end of the uri, between the serviceid and ?is_partial_data=1

Putting it all together, these steps solved my problem and I can enable and disable ITSI services using the REST API interface:

Step 1

index=_internal
| head 1


Step 2 and 3

| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"_key\":\"dc3b486e-2ec5-4f09-9dab-3714fc5f536f\"}"


Step 4

/service/dc3b486e-2ec5-4f09-9dab-3714fc5f53 '6f?is' _partial_data=1

| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714... splunkauth=true debug=true headerfield=header datafield=data


Example of a functional SPL query to disable an ITSI service (change the value to 1 in eval of 'data' to enable an ITSI service):

index=_internal
| head 1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"enabled\": 0,\"_key\":\"dc3b486e-2ec5-4f09-9dab-3714fc5f536f\"}"
| curl method=post uri=https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/dc3b486e-2ec5-4f09-9dab-3714... splunkauth=true debug=true headerfield=header datafield=data

jkat54
SplunkTrust
SplunkTrust

Happy to help!

Please let me know if you develop any more use cases. I like to keep track of how my apps are being used.

Thanks in advance!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Have you tried using a software proxy like teleriks fiddler to see what happens in the POST when you click disable in the UI?

0 Karma

damianokuen
Explorer

I have not, thank you for the suggestion; I will give it a try.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...