So I need to add a bunch of local users to Splunk. We are an ansible shop, and we can leverage the uri modue:
---
- name: Add Splunk Users
uri:
url: https://localhost:8089/services/authentication/users
method: POST
validate_certs: no
user: admin
password: jonesville
body: '{ name: "brent", password: "jonesville", roles: "admin" }'
force_basic_auth: yes
This does not work. How can I construct the body to take my input and add the user as necessary? I could also maybe string a whole url together and POST?!?!
Any advice is MUCH appreciated.
Hey guys. I got it!
So i have an ansible playbook as such:
---
- name: Add Splunk Users via REST API
uri:
url: https://localhost:8089/services/authentication/users
method: POST
validate_certs: no
user: "{{ splunk_admin_user }}"
password: "{{ splunk_admin_pass }}"
body: "realname={{ item.comment }}&name={{ item.username }}&password={{ item.splunk_pass }}&roles=admin&email={{ item.email }}"
force_basic_auth: yes
status_code: 201,400
headers:
Content-Type: "application/x-www-form-urlencoded"
with_items:
- "{{ users }}"
Create an ansible dictionary variable:
---
users:
- { username: "123456789", splunk_pass: "bobsuncle", email: "new.user@domain.com", comment: "User, New" }
Call that file at invocation of the playbook with -e @varfile.yml.
This may seem like overkill but this allows me to manage outlier accounts on hundreds of servers, ansible style. I like doing it this way because the uri module is very flex and alows you to capture allot about the event, most namely to accept certain https exit codes as "OK".
Hopefully this helps someone else out.
Hey guys. I got it!
So i have an ansible playbook as such:
---
- name: Add Splunk Users via REST API
uri:
url: https://localhost:8089/services/authentication/users
method: POST
validate_certs: no
user: "{{ splunk_admin_user }}"
password: "{{ splunk_admin_pass }}"
body: "realname={{ item.comment }}&name={{ item.username }}&password={{ item.splunk_pass }}&roles=admin&email={{ item.email }}"
force_basic_auth: yes
status_code: 201,400
headers:
Content-Type: "application/x-www-form-urlencoded"
with_items:
- "{{ users }}"
Create an ansible dictionary variable:
---
users:
- { username: "123456789", splunk_pass: "bobsuncle", email: "new.user@domain.com", comment: "User, New" }
Call that file at invocation of the playbook with -e @varfile.yml.
This may seem like overkill but this allows me to manage outlier accounts on hundreds of servers, ansible style. I like doing it this way because the uri module is very flex and alows you to capture allot about the event, most namely to accept certain https exit codes as "OK".
Hopefully this helps someone else out.
Hey! Do you have debug logs by any chance? would love to check the uri that is constructed against:
https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#URI_encoding
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess#authentication.2Fusers
Which version of Splunk? 7.x introduced a new process that involves a seed file.
This is 7.2, but this is post install, i got the seed part down (and thats a nice feature)