Getting Data In

Change tag permission via REST API (cURL)

LewisWheeler
Communicator

I have a curl statement which is sent to the rest api of my search head to add some tags based upon some criteria, after that is complete I want to change the tags which have been added so that the owner and permisiosn are modified accordingly:

owner = admin
permissions = read-all

Anyone know how to do this? The following answers seems to come close but is for saved searches:
https://answers.splunk.com/answers/115781/change-the-owner-of-a-saved-search-via-rest.html

0 Karma
1 Solution

rabbidroid
Path Finder

I have tried all the optiones mentioned here, and none of the worked. So I made the change from the GUI, and searched:

index=_internal user=admin method=POST source="/opt/splunk/var/log/splunk/splunkd_access.log".

I then got the exact command that Splunk does:

127.0.0.1 - admin [19/Apr/2016:13:05:14.208 -0400] "POST /servicesNS/davidtw/search/saved/fvtags/{tag}%3D{value}/acl HTTP/1.0" 200 3776 - - - 37ms

So the command you should be running is as follows:

curl -k -u admin:changeme -d 'admin' -d 'sharing=app' https://splunk.domain.com:8089/servicesNS/username/search/saved/fvtags/{tag}%3D{value}/acl

I was not able to find this in the official documentation, so use it at your own risk. I am on version 6.3.3, so your version may vary.
I hope this helps someone.

View solution in original post

rabbidroid
Path Finder

I have tried all the optiones mentioned here, and none of the worked. So I made the change from the GUI, and searched:

index=_internal user=admin method=POST source="/opt/splunk/var/log/splunk/splunkd_access.log".

I then got the exact command that Splunk does:

127.0.0.1 - admin [19/Apr/2016:13:05:14.208 -0400] "POST /servicesNS/davidtw/search/saved/fvtags/{tag}%3D{value}/acl HTTP/1.0" 200 3776 - - - 37ms

So the command you should be running is as follows:

curl -k -u admin:changeme -d 'admin' -d 'sharing=app' https://splunk.domain.com:8089/servicesNS/username/search/saved/fvtags/{tag}%3D{value}/acl

I was not able to find this in the official documentation, so use it at your own risk. I am on version 6.3.3, so your version may vary.
I hope this helps someone.

LewisWheeler
Communicator

I don't have the ability to test this anymore due to a change in environment, but happy to say I didn't think of checking the access logs and pulling out the command. Based upon my research the API and the UI uses the same commands therefore I have no doubt this will work.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

curl -k -u admin:changeme  -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/search/tags/{tag_name}/acl

Update
I believe it should be like this

curl -k -u admin:changeme  -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/search/tags/active#host::testing123.testdomain.com/ac...

OR

curl -k -u admin:changeme  -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/search/tags/active#host%3Dtesting123.testdomain.com/a...
0 Karma

LewisWheeler
Communicator

Ok ill look to get it later on, which of the below are you suggesting.


Example tag:
host=testing123.testdomain.com
value=active

Option 1: curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/search/tags/host/acl

Option 2: curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/search/tags/host=testing123.testdomain.com/acl


If option one, wouldn't this change every single tag acl for host? This wouldn't be a problem for me however some people may not want all tags updated.

0 Karma

kartik13
Communicator

If any one of the option worked for you

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @LewisWheeler,
Can you give some more details of your use case? Are you not working with a saved search?

In case it helps, you can adjust the context for a saved search using the "dispatchAs" parameter for the saved/searches/dispatch endpoint. Here is some documentation about this:
http://docs.splunk.com/Documentation/Splunk/6.3.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D.2...

0 Karma

LewisWheeler
Communicator

Hi fronbinson

Tags aren't saved searches as far as im aware (although they may be in the context of the api..) - although I have tried using the search endpoint to run them (without any success I may add).

Ill take a look at your documentation at some stage and see if I can get it working! thanks for the pointer.

My use case shouldn't be important to the question, however to add some context it is the following (please feel free to suggest alternatives which may work better):
We are creating application containers (via docker) to create and destruct application tiers as required - the splunk integrated will also be automated. A forwarder will be sitting inside each application container and then a script will start the service and link to our search head (for deployer) and indexer. There will be multiple 'apps' which contain all the scripts and config for each application tier. As part of the initiate script a tag will be sent which says the host is 'active', then when the container is destroyed the tag for the unique hostname (the host is being overridden to ensure its unique) will be updated to 'inactive'. This will ensure any monitoring we have on that agent is disabled without any risk to the historical data.

One way we could of done it was to change the hostname upon 'destruct' to contain _inactive - however any historical events would have a different hostname then. I would prefer instead to have a tag which can be dynamic and change based upon our requirements and would affect all data.

0 Karma

spause
Explorer

Have you gotten closer on solving this? I'm interested since we have a major permission issue on our tags, likely needing this type of automation.

0 Karma

LewisWheeler
Communicator

Nope I haven't got anywhere - I spoke to someone in support as well and they haven't been able to point me anywhere. I do have a solution but its not clean and im sure there is a way to do this vai the rest API.

The 'workaround' as its not technically a solution for my problem is to script something to run through the local.meta file for the search app and change the permissions via filesystem level. I have a script which should do something along those lines for another purpose.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...