Getting Data In

Enable Summary Index Search from REST API

skirven
Communicator

Hi! We are on Splunk 7.2.0, and I am trying to automate setting up a Saved Search using an Ansible Playbook that would dump data into a Summary Index. What's odd is that I can get everything to work correctly, except for the "Enable Summary Index" (action.summary_index) won't go to "true" or accept the value of 1, but it does accept everything else.

   - name: Create Splunk Search to populate Summary Index
     uri:
       url: https://<server>:8089/servicesNS/admin/chargeback/saved/searches
       method: POST
       user: admin
       password: "{{ splunk }}"
       body_format: form-urlencoded
       validate_certs: false
       status_code: 201
       body:
          name: "name"
          search: 'index=_internal"'
          dispatch.earliest_time: -1d@h
          dispatch.latest_time: now
          cron_schedule: 0 0 * * *
          action.summary_index: 1
          action.summary_index._name: index_utilization_summary
          is_scheduled: 1
       register: searchquery

Can someone please take a look and see perhaps if I'm using the wrong tag? I would appreciate it!
Thanks!
Stephen

0 Karma
1 Solution

harsmarvania57
Ultra Champion

You need to use actions: summary_index instead of action.summary_index: 1

View solution in original post

0 Karma

harsmarvania57
Ultra Champion

You need to use actions: summary_index instead of action.summary_index: 1

0 Karma

skirven
Communicator

Splendid! That did the trick! Thank you!

0 Karma

harsmarvania57
Ultra Champion

Welcome .. 🙂

0 Karma

skirven
Communicator

I think I found my answer in the documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.3/RESTREF/RESTsearch

Basically, the REST value is read-only...?

alt text

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...