Dashboards & Visualizations

Is it possible to create job with other user restriction in splunk js sdk ?

Explorer

I'm trying to create job connecting as admin with other user restriction.
I have created user 'weak', user 'weak' can't search on internal indexes. The restriction created with role.
I tried changing the namespace in job creation:

const splunkjs = require('splunk-sdk');

const service = new splunkjs.Service({
    scheme: "https",
    host: "myhost",
    port: "8089",
    username: "admin",
    password: "mypass",
    version: "default"
});

let params = {
    search: "search index=_internal | table *",
    exec_mode: "normal",
    earliest_time: "1551391200",
    latest_time: "1554199680",
    adhoc_search_level: "fast"
}

let namepace = {
    owner: "weak",
    app: "search"
}

service.jobs(namespace).create(params.search, params, function (err, job) {
    if (err) {
        console.log(err);
        return;
    }
}

I also tried using namespace with servicesNS:

const splunkjs = require('splunk-sdk');

const service = new splunkjs.Service({
    scheme: "https",
    host: "myhost",
    port: "8089",
    username: "admin",
    password: "mypass",
    version: "default"
});

let params = {
    search: "search index=_internal | table *",
    exec_mode: "normal",
    earliest_time: "1551391200",
    latest_time: "1554199680",
    adhoc_search_level: "fast"
}

let user = "weak";
service.post("/servicesNS/" + user + "/search/search/jobs", params, function (err, response) {
    if (err) {
         console.log(err);
         return;
    }
}

When i inspect the job in the Splunk UI the owner is always admin, and not weak.

Tags (2)
0 Karma

Communicator

There doesn't seem to be a way to do it using the search/jobs endpoint. However, you can do this with a saved search.

  1. Create a saved search owned by the admin with the query and settings you need run.
  2. POST to the saved/searches/{name}/dispatch endpoint to execute the search, making sure to set the dispatchAs parameter to the name of your user (i.e. weak from your question above).

This should execute the saved search as the specified user and return the sid which you can use to retrieve the results.

The big hole in this solution is you need to know the search query to use for the saved search ahead of time so it can be created. If that's a problem and you really need to be able to create adhoc searches that run as a different user, you can also take a look at the args parameter of the above saved searches endpoint which allows you to specify different args.{name} parameters and use them in a token style syntax of the search (i.e. search index=$args.index$).

0 Karma