Getting Data In

REST API - permissions issue

Explorer

Hi,

What special capabilities (permissions) are required to run the REST API? A colleague and I are both running one of the search examples: he gets results, but I get a FATAL empty search error. He is an admin, but I am not (though I do have access via the web to run queries).

Robert
P.S. My role "dealing" is equivalent to the built in "power" role, capabilties are:

changeownpassword
getmetadata
get
typeahead
listinputs
request
remotetok
rest
appsview
rest
propertiesget
rest
propertiesset
rtsearch
schedule
search
search

0 Karma
1 Solution

Explorer

The problem appears to have been with the version of curl I was using. This works fine with
curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5

whereas

curl 7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3

did not work.

View solution in original post

0 Karma

Explorer

It took us awhile to get for Graphistry! For running regular Splunk REST searches without needing an admin user, create a role with capabilities search and rest_properties_get and assign that role to your user. You can build up from there.

0 Karma

Explorer

The problem appears to have been with the version of curl I was using. This works fine with
curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5

whereas

curl 7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3

did not work.

View solution in original post

0 Karma

Champion

Just done some testing and my test user with the user role can access all endpoints I would expect a user to based on their permissions within Splunk. E.g. it can view role information that relates to its user only. If I try to access anything for the admin user via servicesNS then it correctly throws a, In handler 'users': You do not have permissions to access objects of user=admin at me.

Is the search you're running a saved search with only his permissions to run? If you paste the details and steps you take I'd be happy to give it a proper try step by step.

Champion

well you're trying to hit the admin user endpoint there, instead of /admin/search you need to use /morschr/search. EDIT: Just tested it with my test user and hitting /test/search and it returned perfectly 🙂

Splunk Employee
Splunk Employee

I only know enough to confirm that it's a complex topic. See Accessing Splunk resources in the REST API Reference for more information about the particulars. You might need to have admin permissions to get the results you want. Other (more knowledgable!) people might have a better answer for you.

Explorer

Thanks for this. What bothers me is that all the examples use an admin user... which is an issue for me since I am not an admin, and shouldn't really need to be.

Hopefully someone else will shed some light on this.

0 Karma