Splunk Search

Assign the correct role to the index created using the Splunk API

paduka
Path Finder

We want to automate the index creation process so that we don't have to manually create the index before indexing the data to Splunk.

We created the index using the command curl -k -u : //indexer:port/servicesNS///data/indexes -d name=
and the index was created without a restart.

However, after the index is created we wanted to assign the correct role to the index so that it is
a: searchable by default
b: add it to indexes under authorization

We can do it using the gui but wanted to automate it so that we can either do it from the command line or using a script.

Can anyone suggest how they have handled automatic index creation in the past?

Tags (2)

Lowell
Super Champion

Great question. So roles are not assigned to indexes, each role can have a list of indexes that it's allowed to access and a list of indexes to search by default.

So you'll have to add your new index to a role (not the other way around).

The endpoint for doing this will be in the following form:

https://<splunk_server>:8089/servicesNS/<user>/<app>/authorization/roles/<role>;

Specifically take note of srchIndexesAllowed and srchIndexesDefault.

You'll probably want to do this in two steps. First GET the current values for these two attributes, put them in a temporary variable, add your new index to the list, and the update the value in Splunk via a POST. Otherwise you may remove existing indexes from your roles, which would be bad.

Testing this in a safe environment first is recommended. 😉

paduka
Path Finder

I tried doing it through the temporary variable and am getting the error "

In handler 'roles': Argument "</s:key> <s:key name" is not supported by this handler.

"

0 Karma

paduka
Path Finder

I am new to using rest APIs. Can you please let me know what would be the content of the temporary variable and what command should work?
I tried using - curl -k -u user:password -X POST --data '/s:keytest/s:item/s:list /s:key' \https://127.0.0.1:8089/servicesNS/admin/search/authorization/roles/admin - but it didn't work.
Thanks a lot!

0 Karma

paduka
Path Finder

Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...