Getting Data In

Splunk 6.2.1 with Splunk PowerShell Resource Kit: How to automate the creation of an index using New-SplunkIndex?

broccliman
Explorer

Using Splunk Enterprise 6.2.1 along with the latest version of the splunk-reskit-powershell toolkit, I (and others on my team with local installations of Splunk Enterprise) are having trouble automating the creation of an index using New-SplunkIndex. The code looks something like this:

Import-Module Splunk
Disable-CertificateValidation
Connect-Splunk -ComputerName $env:COMPUTERNAME -Protocol https -Port 8089
New-SplunkIndex -Name test

The error message:

Invoke-HTTPPost : Exception calling "GetResponse" with "0" argument(s): "The remote server returned an error: (400) Bad Request."

Using verbose output, we get this response:

<response>
  <messages>
   <msg type="ERROR">
 In handler 'indexes': Argument "search" is not supported by this handler.</msg>
  </messages>
</response>

Digging into the verbose output, we can see the data being POST'ed to the Splunk endpoint:

VERBOSE:  [Invoke-HTTPPost] :: $PostString = search=&name=test

We were able to dig into Splunk-Core.psm1, modify the Invoke-HttpPost function, and get past this error. We did so by essentially commenting out line 224.

Based on our limited research, it seems like the core Invoke-HTTPPost method always includes a search value within message body being POST'ed; however, the REST endpoint for creating a new index rejects the search parameter.

Is there a different way we should be using the toolkit to create an index, or is this a bug within the toolkit itself?

Tags (3)
1 Solution

halr9000
Motivator

It is a bug (created issue #13). Submit a pull request or open an issue if you'd like credit for the fix: https://github.com/splunk/splunk-reskit-powershell

The toolkit is open source, and in need of refactoring to use our v2 .NET SDK. Chip in if that's something you're interested in helping with.

Great troubleshooting, by the way!

View solution in original post

0 Karma

halr9000
Motivator

It is a bug (created issue #13). Submit a pull request or open an issue if you'd like credit for the fix: https://github.com/splunk/splunk-reskit-powershell

The toolkit is open source, and in need of refactoring to use our v2 .NET SDK. Chip in if that's something you're interested in helping with.

Great troubleshooting, by the way!

0 Karma

broccliman
Explorer

Thanks for the response. Although this doesn't change my situation, you did answer my question - marking this as the answer.

I would submit a PR, but my change lacks the context of the larger use of Invoke-HTTPPost; I think its too narrow-sighted. Instead, we will move forward by implementing our own version of New-SplunkIndex using HTTP against the REST API.

0 Karma

halr9000
Motivator

Just checked out the code and confirmed the bug. I created an issue to track this as well: https://github.com/splunk/splunk-reskit-powershell/issues/13

halr9000
Motivator

Makes sense. I do hope we come back to this project for a refresh. Adding a reminder for myself to look into it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...