Security
Highlighted

Splunk API: What type of object needs to be passed along with my key/value pair via PowerShell to update the 'srchIndexesAllowed" setting for a user role?

Explorer

Hello,

Been suck trying to figure out what type of object needs to be passed along with my key/value pair, in PowerShell, to update the 'srchIndexesAllowed' setting for a user role. Below is the code I've been using but the updates haven't applied correctly. What I'm attempting to do is remove a specific index from the values, then apply the remaining values back to 'srchIndexesAllowed'.

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization","Splunk $sessionKey")
$UserRole_Get_Response = Invoke-RestMethod -Method Get -Uri "$base_url/services/authorization/roles/test_user_role" -Headers $headers
$UserRole_Get_Response_List = $UserRole_Get_Response.content.dict | ForEach-Object {$_.key} | Where-Object {$_.name -contains "srchIndexesAllowed"}
$arrUserRole_srchIndexesAllowed = @($UserRole_Get_Response_List.list.item)

# Remove index from role
$arrUserRole_srchIndexesAllowed = $arrUserRole_srchIndexesAllowed | Where-Object {$_ -ne "index2remove"}
$body_post = @{
    srchIndexesAllowed="$arrUserRole_srchIndexesAllowed"
}

# Apply update
$UserRole_Post_Response = Invoke-RestMethod -Method Post -Uri "$base_url/services/authorization/roles/test_user_role" -Headers $headers -Body $body_post

Unfortunately it ends up applying the remaining values as a single long string which doesn't work. This can be seen via https://splunk_server:8089/services/authorization/roles/test_user_role

Before:
1. main
2. test
3. index2remove

After:
1. main test

Checking to see if anyone else in the community has successfully passed multiple values for a key to Splunk's API via PowerShell.

Thanks!

Tags (4)
Highlighted

Re: Splunk API: What type of object needs to be passed along with my key/value pair via PowerShell to update the 'srchIndexesAllowed" setting for a user role?

Motivator

Any reason you are using System.Collections.Generic.Dictionary[[String],[String]]? I've not tried this before, but the first thing I'd do is to see if a regular array works. The problem is likely related to the magic array unrolling that PowerShell likes to do, bit I'm not certain.

0 Karma
Highlighted

Re: Splunk API: What type of object needs to be passed along with my key/value pair via PowerShell to update the 'srchIndexesAllowed" setting for a user role?

Explorer

That particular line of code was just for the headers to pass in the session authentication key. The -headers parameter, for Invoke-RestMethod cmdlet, requires a hash key or dictionary object. It can be replaced with a @{} to accomplish the same thing.

0 Karma
Highlighted

Re: Splunk API: What type of object needs to be passed along with my key/value pair via PowerShell to update the 'srchIndexesAllowed" setting for a user role?

Influencer

Comment because I haven't tried it out yet, but are you passing the remaining indexes back as a semicolon delineated list? That's the format of that property in authorize.conf

0 Karma
Highlighted

Re: Splunk API: What type of object needs to be passed along with my key/value pair via PowerShell to update the 'srchIndexesAllowed" setting for a user role?

Explorer

Great thought. I did try, not per the code about, to pass in a string object where the values were delimited by a semicolon and while the authorize.conf did update per the normal format, it didn't quite apply correctly. Via the web-service the new setting looked like: 1. main;test

0 Karma
Highlighted

Re: Splunk API: What type of object needs to be passed along with my key/value pair via PowerShell to update the 'srchIndexesAllowed" setting for a user role?

Explorer

So I figured out the solution.

I basically remove the '$body_post' portion of the script and replaced with a for-loop to create a single string with the following pattern, srchIndexesAllowed=main&srchIndexesAllowed=test and saved it to a new variable. Then updated the Invoke-RestMethod call to include the new variable and everything updated successfully. 🙂

View solution in original post

Highlighted

Re: Splunk API: What type of object needs to be passed along with my key/value pair via PowerShell to update the 'srchIndexesAllowed" setting for a user role?

Motivator

I converted your comment to an answer so that you get internet points. 🙂

Highlighted

Re: Splunk API: What type of object needs to be passed along with my key/value pair via PowerShell to update the 'srchIndexesAllowed" setting for a user role?

Explorer

Thanks! 🙂

0 Karma