Hi! We are on Splunk 7.2.0, and I am trying to automate setting up a Saved Search using an Ansible Playbook that would dump data into a Summary Index. What's odd is that I can get everything to work correctly, except for the "Enable Summary Index" (action.summary_index) won't go to "true" or accept the value of 1, but it does accept everything else.
- name: Create Splunk Search to populate Summary Index
uri:
url: https://<server>:8089/servicesNS/admin/chargeback/saved/searches
method: POST
user: admin
password: "{{ splunk }}"
body_format: form-urlencoded
validate_certs: false
status_code: 201
body:
name: "name"
search: 'index=_internal"'
dispatch.earliest_time: -1d@h
dispatch.latest_time: now
cron_schedule: 0 0 * * *
action.summary_index: 1
action.summary_index._name: index_utilization_summary
is_scheduled: 1
register: searchquery
Can someone please take a look and see perhaps if I'm using the wrong tag? I would appreciate it!
Thanks!
Stephen
You need to use actions: summary_index
instead of action.summary_index: 1
You need to use actions: summary_index
instead of action.summary_index: 1
Splendid! That did the trick! Thank you!
Welcome .. 🙂
I think I found my answer in the documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.3/RESTREF/RESTsearch
Basically, the REST value is read-only...?