Solved: Re: Splunk dashboard automation via REST: Which sp...

mmichalowicz · ‎03-08-2019

I would like to perform HTTP GET and POST XML for Splunk dashboards via REST. However, I need to ask for specific roles for this including auth, GET, and POST from my Splunk support organization.

Which roles do I need to explicitly request? Asking for admin privileges is out of the question.

The links I see in all the answers point to generic documentation that simply aren't helping me with explicitly what I have to ask for.

I need the most minimal permissions to accomplish simple auth, GET, and POST to have any chance to be approved...

Thanks in advance.

mmichalowicz · ‎03-11-2019

I figured it out... The URL used by the webapp is either forwarded or is a different endpoint. I found the URL which responds to services/auth/login, I am able to get session key, and then do some other downstream endpoints returning the XML for dashboards. I simply now have to get used to the API's I need to simply get the dashboard xml.. I'm now struggling with labels, names, and id's but it appears this is a normal journey.

Thanks all for responding!

View solution in original post

mmichalowicz · ‎03-11-2019

I figured it out... The URL used by the webapp is either forwarded or is a different endpoint. I found the URL which responds to services/auth/login, I am able to get session key, and then do some other downstream endpoints returning the XML for dashboards. I simply now have to get used to the API's I need to simply get the dashboard xml.. I'm now struggling with labels, names, and id's but it appears this is a normal journey.

Thanks all for responding!

somesoni2 · ‎03-08-2019

It depends on what artifacts/endpoints you're hitting and what POST operations you want to perform. If you're just looking to modify artifacts that you own, regular user role is sufficient. If you want to modify searches that you've shared with other users, power user may the role you need.

mmichalowicz · ‎03-08-2019

IMO, there's no such thing as "regular user role" in corporate security... I'm assuming REST roles were revoked from "regular users" since I can't get an /account/login POST working from Java, curl, Postman, etc...

So my question remains, what are the minimal roles needed to at least do an auth, GET, and POST to dashboards I have access to as my user (I don't "own" anything, I am simply a user to these dashboards)

A simple auth always returns 401 unauthorized, so there must be some minimal roles to even get an auth...
I put Chrome in debug and watch POST's to the /account/login endpoint with username/password in a POST x-www-form-urlencoded but I simply cannot reproduce a successful call outside of the Splunk Web pages..

somesoni2 · ‎03-08-2019

What error that you get when running a POST for /auth/login ? Do you have access to Splunk (login to Splunk Web UI with same credentials)?

If you're trying to access a dashboard, owned by others, your Splunk role should have permission to read/edit those dashboards. So, more that capabilities, this could be an issue of permission at the object level.

mmichalowicz · ‎03-11-2019

I've tried auth/login and services/auth/login but they aren't valid endpoints (404). I try account/login and I get a 401 Unauthorized with a response body { "status" : 1 }

I am mimicking the URL that the Splunk UI is authorizing against (debugging using Chrome dev tools)

Splunk dashboard automation via REST: Which specific roles should I ask for?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?