Archive

Assign the correct role to the index created using the Splunk API

Path Finder

We want to automate the index creation process so that we don't have to manually create the index before indexing the data to Splunk.

We created the index using the command curl -k -u : //indexer:port/servicesNS///data/indexes -d name=
and the index was created without a restart.

However, after the index is created we wanted to assign the correct role to the index so that it is
a: searchable by default
b: add it to indexes under authorization

We can do it using the gui but wanted to automate it so that we can either do it from the command line or using a script.

Can anyone suggest how they have handled automatic index creation in the past?

Tags (2)

Super Champion

Great question. So roles are not assigned to indexes, each role can have a list of indexes that it's allowed to access and a list of indexes to search by default.

So you'll have to add your new index to a role (not the other way around).

The endpoint for doing this will be in the following form:

https://<splunk_server>:8089/servicesNS/<user>/<app>/authorization/roles/<role>;

Specifically take note of srchIndexesAllowed and srchIndexesDefault.

You'll probably want to do this in two steps. First GET the current values for these two attributes, put them in a temporary variable, add your new index to the list, and the update the value in Splunk via a POST. Otherwise you may remove existing indexes from your roles, which would be bad.

Testing this in a safe environment first is recommended. 😉

Path Finder

I tried doing it through the temporary variable and am getting the error "

In handler 'roles': Argument "</s:key> <s:key name" is not supported by this handler.

"

0 Karma

Path Finder

I am new to using rest APIs. Can you please let me know what would be the content of the temporary variable and what command should work?
I tried using - curl -k -u user:password -X POST --data '/s:keytest/s:item/s:list /s:key' \https://127.0.0.1:8089/servicesNS/admin/search/authorization/roles/admin - but it didn't work.
Thanks a lot!

0 Karma

Path Finder

Thanks a lot!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!