Solved: Re: Enable Summary Index Search from REST API

skirven · ‎05-14-2020

Hi! We are on Splunk 7.2.0, and I am trying to automate setting up a Saved Search using an Ansible Playbook that would dump data into a Summary Index. What's odd is that I can get everything to work correctly, except for the "Enable Summary Index" (action.summary_index) won't go to "true" or accept the value of 1, but it does accept everything else.

   - name: Create Splunk Search to populate Summary Index
     uri:
       url: https://<server>:8089/servicesNS/admin/chargeback/saved/searches
       method: POST
       user: admin
       password: "{{ splunk }}"
       body_format: form-urlencoded
       validate_certs: false
       status_code: 201
       body:
          name: "name"
          search: 'index=_internal"'
          dispatch.earliest_time: -1d@h
          dispatch.latest_time: now
          cron_schedule: 0 0 * * *
          action.summary_index: 1
          action.summary_index._name: index_utilization_summary
          is_scheduled: 1
       register: searchquery

Can someone please take a look and see perhaps if I'm using the wrong tag? I would appreciate it!
Thanks!
Stephen

harsmarvania57 · ‎05-14-2020

You need to use actions: summary_index instead of action.summary_index: 1

View solution in original post

harsmarvania57 · ‎05-14-2020

You need to use actions: summary_index instead of action.summary_index: 1

skirven · ‎05-14-2020

Splendid! That did the trick! Thank you!

harsmarvania57 · ‎05-14-2020

Welcome .. 🙂

skirven · ‎05-14-2020

I think I found my answer in the documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.3/RESTREF/RESTsearch

Basically, the REST value is read-only...?

Enable Summary Index Search from REST API

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann