I'd like to disable eventtypes via the REST API. These eventtypes could be owned by a variety of users, but I want to make my API calls with a single user. According to the Splunk API docs, the correct way to do this is to POST to /services/saved/eventtypes/ with disabled=1. This works fine when making the API call as the user that owns the event type, however, if I make the same call as a different user, it creates a disabled duplicate eventtype with the same name, owned by the user that made the API call. The original eventtype remains enabled.
So, when updating/disabling an eventtype via the API, is there any way to specify the owner of that eventtype in the POST? Or is there a way to ensure that the API call will operate on the existing eventtype regardless of the owner, instead of creating a new eventtype?
↧