Dashboards & Visualizations

Is it possible to create job with other user restriction in splunk js sdk ?

stamstam
Explorer

I'm trying to create job connecting as admin with other user restriction.
I have created user 'weak', user 'weak' can't search on internal indexes. The restriction created with role.
I tried changing the namespace in job creation:

const splunkjs = require('splunk-sdk');

const service = new splunkjs.Service({
    scheme: "https",
    host: "myhost",
    port: "8089",
    username: "admin",
    password: "mypass",
    version: "default"
});

let params = {
    search: "search index=_internal | table *",
    exec_mode: "normal",
    earliest_time: "1551391200",
    latest_time: "1554199680",
    adhoc_search_level: "fast"
}

let namepace = {
    owner: "weak",
    app: "search"
}

service.jobs(namespace).create(params.search, params, function (err, job) {
    if (err) {
        console.log(err);
        return;
    }
}

I also tried using namespace with servicesNS:

const splunkjs = require('splunk-sdk');

const service = new splunkjs.Service({
    scheme: "https",
    host: "myhost",
    port: "8089",
    username: "admin",
    password: "mypass",
    version: "default"
});

let params = {
    search: "search index=_internal | table *",
    exec_mode: "normal",
    earliest_time: "1551391200",
    latest_time: "1554199680",
    adhoc_search_level: "fast"
}

let user = "weak";
service.post("/servicesNS/" + user + "/search/search/jobs", params, function (err, response) {
    if (err) {
         console.log(err);
         return;
    }
}

When i inspect the job in the Splunk UI the owner is always admin, and not weak.

Tags (2)
0 Karma

badarsebard
Communicator

There doesn't seem to be a way to do it using the search/jobs endpoint. However, you can do this with a saved search.

  1. Create a saved search owned by the admin with the query and settings you need run.
  2. POST to the saved/searches/{name}/dispatch endpoint to execute the search, making sure to set the dispatchAs parameter to the name of your user (i.e. weak from your question above).

This should execute the saved search as the specified user and return the sid which you can use to retrieve the results.

The big hole in this solution is you need to know the search query to use for the saved search ahead of time so it can be created. If that's a problem and you really need to be able to create adhoc searches that run as a different user, you can also take a look at the args parameter of the above saved searches endpoint which allows you to specify different args.{name} parameters and use them in a token style syntax of the search (i.e. search index=$args.index$).

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...