Feature Request - Endpoint for DSM alias adjustment

[sebwurl]

I'm trying to automate the adjustment of entity aliases. So far I think it is only possible to achieve this with the endpoint "post_ds_bulk_edit". This does not provide an object_list like the other endpoints. So it needs to use the map command to iterate over all provided entities, which results in a lot of dedicated searches in the background.

Is there another endpoint that I did not found to change the alias? Or would a dedicated endpoint make sense?

[guilhemmarchand]

Hi @sebwurl

Within the UI, a change in the alias is indeed translated into a call to the bulk edit endpoint which itself implies a full JSON structure of the record.

We could address this with a new simplified endpoint for sure, we would need to submit an array with the association between "object/alias" and/or "key/alias" (both could be accepted by the endpoint), this would be like:

[
{"object1": "alias1"},
{"object2": "alias2"}
]

Would this meet your needs?

Guilhem

[sebwurl]

You are right, I did not have in mind that this needs a different structure as we do not set the same value for a list of objects... My goal would be to dynamically create the REST command within a scheduled search. Not 100% sure how this would look like in the end, but SPL should do it :) It think it would be something like this to create a field that is passed to the REST command:

[guilhemmarchand]

Hi @sebwurl

In fact, the bulk edit can be used for your purpose, however to use from SPL we need to do a small evolution in 2.0.91. (to verify if the json_data is a dict, or a string storing the dict)

The bulk edit does not require all fields, what it requires is a JSON object with the keyid and any field that TrackMe would accept as editable.

For instance (with this change I mentioned):

| inputlookup trackme_dsm_tenant_feeds-not-sec | eval keyid=_key
| search object=cribl*
| fields object, keyid

``` this is just to get a different alias for the demo ```
| streamstats count
| eval alias = "crib:" . count
| fields - count

``` use to json ```
| tojson | fields _raw

``` create an array ```
| stats values(_raw) as _raw
| eval data = "[" . mvjoin(_raw, ", ") . "]"
| fields data

``` bulk edit expect a dict ```
| rex field=data mode=sed "s/\"/\\\"/g"
| fields - _raw

``` call bulk edit ```
| map search="| trackme url=/services/trackme/v2/splk_dsm/write/ds_bulk_edit mode=post body=\"{'tenant_id':'feeds-not-sec', 'json_data': '$data$'}\""

or:

| trackme url=/services/trackme/v2/splk_dsm/write/ds_bulk_edit mode=post body="{'tenant_id':'feeds-not-sec', 'json_data': '[{\"alias\":\"crib:1\",\"keyid\":\"672a3ac956e2f2feb44983ee0f8bc559\",\"object\":\"cribl_datagen:cribl:business\"}, {\"alias\":\"crib:2\",\"keyid\":\"88722311a7f44650b30bdef44159c26b\",\"object\":\"cribl_datagen:syslog\"}]'}"

--> Addressing the bulk edit minor evolution for 2.0.91

Let me know if this addresses your need

[sebwurl]

So far this ends up in an error:

[guilhemmarchand]

Yes sorry I have not been clear enough @sebwurl it will require a small change which I've incorporated in 2.0.91

[sebwurl]

Okay sorry :) Then I'm pretty sure it will address my need.

[sebwurl]

As far as I understand it, with the new version the bulk edit can do everything that the dedicated endpoints can do. Is there a reason to prefer a dedicated endpoint if it is available?

[guilhemmarchand]

Hi @sebwurl !

TrackMe 2.0.91 is now live in Splunk Base, once you will have upgraded, you can use the bulk edit as mentioned in this thread and only submit fields you want to see updated.

And to answer the question, therefore no, a new endpoint is not required but some changes on the bulk edit endpoints were necessary ;-)

Any issue / question please let me know!