We want to automate the index creation process so that we don't have to manually create the index before indexing the data to Splunk.
We created the index using the command curl -k -u
and the index was created without a restart.
However, after the index is created we wanted to assign the correct role to the index so that it is
a: searchable by default
b: add it to indexes under authorization
We can do it using the gui but wanted to automate it so that we can either do it from the command line or using a script.
Can anyone suggest how they have handled automatic index creation in the past?
Great question. So roles are not assigned to indexes, each role can have a list of indexes that it's allowed to access and a list of indexes to search by default.
So you'll have to add your new index to a role (not the other way around).
The endpoint for doing this will be in the following form:
https://<splunk_server>:8089/servicesNS/<user>/<app>/authorization/roles/<role>;
Specifically take note of srchIndexesAllowed
and srchIndexesDefault
.
You'll probably want to do this in two steps. First GET the current values for these two attributes, put them in a temporary variable, add your new index to the list, and the update the value in Splunk via a POST. Otherwise you may remove existing indexes from your roles, which would be bad.
Testing this in a safe environment first is recommended. 😉
I tried doing it through the temporary variable and am getting the error "
I am new to using rest APIs. Can you please let me know what would be the content of the temporary variable and what command should work?
I tried using - curl -k -u user:password -X POST --data '/s:key
Thanks a lot!
Thanks a lot!