Getting Data In

Enable Summary Index Search from REST API

skirven
Communicator

Hi! We are on Splunk 7.2.0, and I am trying to automate setting up a Saved Search using an Ansible Playbook that would dump data into a Summary Index. What's odd is that I can get everything to work correctly, except for the "Enable Summary Index" (action.summary_index) won't go to "true" or accept the value of 1, but it does accept everything else.

   - name: Create Splunk Search to populate Summary Index
     uri:
       url: https://<server>:8089/servicesNS/admin/chargeback/saved/searches
       method: POST
       user: admin
       password: "{{ splunk }}"
       body_format: form-urlencoded
       validate_certs: false
       status_code: 201
       body:
          name: "name"
          search: 'index=_internal"'
          dispatch.earliest_time: -1d@h
          dispatch.latest_time: now
          cron_schedule: 0 0 * * *
          action.summary_index: 1
          action.summary_index._name: index_utilization_summary
          is_scheduled: 1
       register: searchquery

Can someone please take a look and see perhaps if I'm using the wrong tag? I would appreciate it!
Thanks!
Stephen

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

You need to use actions: summary_index instead of action.summary_index: 1

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

You need to use actions: summary_index instead of action.summary_index: 1

0 Karma

skirven
Communicator

Splendid! That did the trick! Thank you!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Welcome .. 🙂

0 Karma

skirven
Communicator

I think I found my answer in the documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.3/RESTREF/RESTsearch

Basically, the REST value is read-only...?

alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...