Solved: Constructing URL to add a splunk user via REST (or...

brent_weaver · ‎12-22-2018

So I need to add a bunch of local users to Splunk. We are an ansible shop, and we can leverage the uri modue:

---

- name: Add Splunk Users
  uri:
    url: https://localhost:8089/services/authentication/users
    method: POST
    validate_certs: no
    user: admin
    password: jonesville
    body: '{ name: "brent", password: "jonesville", roles: "admin" }'
    force_basic_auth: yes

This does not work. How can I construct the body to take my input and add the user as necessary? I could also maybe string a whole url together and POST?!?!

Any advice is MUCH appreciated.

brent_weaver · ‎12-23-2018

Hey guys. I got it!

So i have an ansible playbook as such:

---
- name: Add Splunk Users via REST API
  uri:
    url: https://localhost:8089/services/authentication/users
    method: POST
    validate_certs: no
    user: "{{ splunk_admin_user }}"
    password: "{{ splunk_admin_pass }}"
    body: "realname={{ item.comment }}&name={{ item.username }}&password={{ item.splunk_pass }}&roles=admin&email={{ item.email }}"
    force_basic_auth: yes
    status_code: 201,400
    headers:
      Content-Type: "application/x-www-form-urlencoded"
  with_items:
    - "{{ users }}"

Create an ansible dictionary variable:

---
users:
  - { username: "123456789", splunk_pass: "bobsuncle", email: "new.user@domain.com", comment: "User, New" }

Call that file at invocation of the playbook with -e @varfile.yml.

This may seem like overkill but this allows me to manage outlier accounts on hundreds of servers, ansible style. I like doing it this way because the uri module is very flex and alows you to capture allot about the event, most namely to accept certain https exit codes as "OK".

Hopefully this helps someone else out.

View solution in original post

brent_weaver · ‎12-23-2018

Hey guys. I got it!

So i have an ansible playbook as such:

---
- name: Add Splunk Users via REST API
  uri:
    url: https://localhost:8089/services/authentication/users
    method: POST
    validate_certs: no
    user: "{{ splunk_admin_user }}"
    password: "{{ splunk_admin_pass }}"
    body: "realname={{ item.comment }}&name={{ item.username }}&password={{ item.splunk_pass }}&roles=admin&email={{ item.email }}"
    force_basic_auth: yes
    status_code: 201,400
    headers:
      Content-Type: "application/x-www-form-urlencoded"
  with_items:
    - "{{ users }}"

Create an ansible dictionary variable:

---
users:
  - { username: "123456789", splunk_pass: "bobsuncle", email: "new.user@domain.com", comment: "User, New" }

Call that file at invocation of the playbook with -e @varfile.yml.

This may seem like overkill but this allows me to manage outlier accounts on hundreds of servers, ansible style. I like doing it this way because the uri module is very flex and alows you to capture allot about the event, most namely to accept certain https exit codes as "OK".

Hopefully this helps someone else out.

mattymo · ‎12-23-2018

Hey! Do you have debug logs by any chance? would love to check the uri that is constructed against:

https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#URI_encoding
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess#authentication.2Fusers

- MattyMo

jkat54 · ‎12-23-2018

Which version of Splunk? 7.x introduced a new process that involves a seed file.

brent_weaver · ‎12-23-2018

This is 7.2, but this is post install, i got the seed part down (and thats a nice feature)

Constructing URL to add a splunk user via REST (or via ansible uri mod)

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?