I have a curl statement which is sent to the rest api of my search head to add some tags based upon some criteria, after that is complete I want to change the tags which have been added so that the owner and permisiosn are modified accordingly:
owner = admin
permissions = read-all
Anyone know how to do this? The following answers seems to come close but is for saved searches:
https://answers.splunk.com/answers/115781/change-the-owner-of-a-saved-search-via-rest.html
I have tried all the optiones mentioned here, and none of the worked. So I made the change from the GUI, and searched:
index=_internal user=admin method=POST source="/opt/splunk/var/log/splunk/splunkd_access.log".
I then got the exact command that Splunk does:
127.0.0.1 - admin [19/Apr/2016:13:05:14.208 -0400] "POST /servicesNS/davidtw/search/saved/fvtags/{tag}%3D{value}/acl HTTP/1.0" 200 3776 - - - 37ms
So the command you should be running is as follows:
curl -k -u admin:changeme -d 'admin' -d 'sharing=app' https://splunk.domain.com:8089/servicesNS/username/search/saved/fvtags/{tag}%3D{value}/acl
I was not able to find this in the official documentation, so use it at your own risk. I am on version 6.3.3, so your version may vary.
I hope this helps someone.
I have tried all the optiones mentioned here, and none of the worked. So I made the change from the GUI, and searched:
index=_internal user=admin method=POST source="/opt/splunk/var/log/splunk/splunkd_access.log".
I then got the exact command that Splunk does:
127.0.0.1 - admin [19/Apr/2016:13:05:14.208 -0400] "POST /servicesNS/davidtw/search/saved/fvtags/{tag}%3D{value}/acl HTTP/1.0" 200 3776 - - - 37ms
So the command you should be running is as follows:
curl -k -u admin:changeme -d 'admin' -d 'sharing=app' https://splunk.domain.com:8089/servicesNS/username/search/saved/fvtags/{tag}%3D{value}/acl
I was not able to find this in the official documentation, so use it at your own risk. I am on version 6.3.3, so your version may vary.
I hope this helps someone.
I don't have the ability to test this anymore due to a change in environment, but happy to say I didn't think of checking the access logs and pulling out the command. Based upon my research the API and the UI uses the same commands therefore I have no doubt this will work.
Try something like this
curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/search/tags/{tag_name}/acl
Update
I believe it should be like this
curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/search/tags/active#host::testing123.testdomain.com/ac...
OR
curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/search/tags/active#host%3Dtesting123.testdomain.com/a...
Ok ill look to get it later on, which of the below are you suggesting.
Example tag:
host=testing123.testdomain.com
value=active
Option 1: curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/search/tags/host/acl
Option 2: curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/search/tags/host=testing123.testdomain.com/acl
If option one, wouldn't this change every single tag acl for host? This wouldn't be a problem for me however some people may not want all tags updated.
If any one of the option worked for you
Hi @LewisWheeler,
Can you give some more details of your use case? Are you not working with a saved search?
In case it helps, you can adjust the context for a saved search using the "dispatchAs" parameter for the saved/searches/dispatch endpoint. Here is some documentation about this:
http://docs.splunk.com/Documentation/Splunk/6.3.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D.2...
Hi fronbinson
Tags aren't saved searches as far as im aware (although they may be in the context of the api..) - although I have tried using the search endpoint to run them (without any success I may add).
Ill take a look at your documentation at some stage and see if I can get it working! thanks for the pointer.
My use case shouldn't be important to the question, however to add some context it is the following (please feel free to suggest alternatives which may work better):
We are creating application containers (via docker) to create and destruct application tiers as required - the splunk integrated will also be automated. A forwarder will be sitting inside each application container and then a script will start the service and link to our search head (for deployer) and indexer. There will be multiple 'apps' which contain all the scripts and config for each application tier. As part of the initiate script a tag will be sent which says the host is 'active', then when the container is destroyed the tag for the unique hostname (the host is being overridden to ensure its unique) will be updated to 'inactive'. This will ensure any monitoring we have on that agent is disabled without any risk to the historical data.
One way we could of done it was to change the hostname upon 'destruct' to contain _inactive - however any historical events would have a different hostname then. I would prefer instead to have a tag which can be dynamic and change based upon our requirements and would affect all data.
Have you gotten closer on solving this? I'm interested since we have a major permission issue on our tags, likely needing this type of automation.
Nope I haven't got anywhere - I spoke to someone in support as well and they haven't been able to point me anywhere. I do have a solution but its not clean and im sure there is a way to do this vai the rest API.
The 'workaround' as its not technically a solution for my problem is to script something to run through the local.meta file for the search app and change the permissions via filesystem level. I have a script which should do something along those lines for another purpose.