Getting Data In

How to tell when it's safe to query the API about a newly created user?

krisreeves
Path Finder

When using SSO with clustered search heads, users who lose SSO access leave behind knowledge objects and directories on the file system. I'm doing some work to clean these up. In order to be able to query the Splunk API for the full set of information, it's necessary to re-create the user so that Splunk will see and return information about their private knowledge objects. While doing this, I noticed the following problem:

  1. I can ask the API about the knowledge objects owned by a user via /servicesNS/-/-/admin/directory
  2. However, if I ask about saved searches from /servicesNS/USERNAME/search/saved/searches/SEARCH_NAME, I get a 404 for searches that are present in (1)
  3. After 5-10 seconds, (2) begins to work

I suspected that maybe the search head cluster needs to sync some configuration, so I hit /services/shcluster/status while (2) is failing repeatedly to get some info about the search head cluster state. None of the search heads specify they are out of sync, and the last conf replication time reset (indicating a configuration replication had happened), but the API was still returning 404s on saved searches for a few seconds.

Is there any way to know when it's "safe" to request information pertaining to a user? Is the /directory endpoint potentially affected by this? Are there other endpoints that may be affected in the same way?

One other thing I tested was querying /servicesNS/-/search/saved/searches/SEARCH_NAME, however it exhibited the same behavior. Not all users seem to behave this way, but the particular user in question had a couple knowledge objects of type "props-extract". It seems likely that re-adding those to the system is taking longer, and this added delay somehow affects their saved searches showing up.

0 Karma

jkat54
SplunkTrust
SplunkTrust

You should be able to hit /debug/refresh first then the endpoint you're looking for. In SHC, if you're aiming directly at one server versus querying a load balancer VIP you shouldn't have to worry about propagation.

0 Karma

krisreeves
Path Finder

All my testing was against a single host (no load balancer involved) from localhost, which is why I'm puzzled. By propagation, I was thinking that perhaps once the user is enabled, some system process needed to atomically update the cluster (due to the props-extract configs, which none of the other users that seem to work fine have) before it would "activate", much like cluster bundle config pushes, and that I was hitting things before that happened.

I'll see if /debug/refresh makes a difference tomorrow, since the problem seems to be consistently reproducible with this one particular user.

0 Karma

krisreeves
Path Finder

(update)

/debug/refresh is a web ui thing, not a REST API thing. I found the comment below this answer: https://answers.splunk.com/answering/661816/view.html and gave it a try, but the same behavior is still exhibited (I have to retry multiple times to get the expected data)

0 Karma

jkat54
SplunkTrust
SplunkTrust
0 Karma

krisreeves
Path Finder

That's exactly what I did. "I found the comment below this answer and gave it a try"
It didn't help 😞

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...