- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk 6.2.1 with Splunk PowerShell Resource Kit: ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Splunk Enterprise 6.2.1 along with the latest version of the splunk-reskit-powershell toolkit, I (and others on my team with local installations of Splunk Enterprise) are having trouble automating the creation of an index using New-SplunkIndex. The code looks something like this:
Import-Module Splunk
Disable-CertificateValidation
Connect-Splunk -ComputerName $env:COMPUTERNAME -Protocol https -Port 8089
New-SplunkIndex -Name test
The error message:
Invoke-HTTPPost : Exception calling "GetResponse" with "0" argument(s): "The remote server returned an error: (400) Bad Request."
Using verbose output, we get this response:
<response>
<messages>
<msg type="ERROR">
In handler 'indexes': Argument "search" is not supported by this handler.</msg>
</messages>
</response>
Digging into the verbose output, we can see the data being POST'ed to the Splunk endpoint:
VERBOSE: [Invoke-HTTPPost] :: $PostString = search=&name=test
We were able to dig into Splunk-Core.psm1, modify the Invoke-HttpPost function, and get past this error. We did so by essentially commenting out line 224.
Based on our limited research, it seems like the core Invoke-HTTPPost method always includes a search value within message body being POST'ed; however, the REST endpoint for creating a new index rejects the search parameter.
Is there a different way we should be using the toolkit to create an index, or is this a bug within the toolkit itself?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is a bug (created issue #13). Submit a pull request or open an issue if you'd like credit for the fix: https://github.com/splunk/splunk-reskit-powershell
The toolkit is open source, and in need of refactoring to use our v2 .NET SDK. Chip in if that's something you're interested in helping with.
Great troubleshooting, by the way!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is a bug (created issue #13). Submit a pull request or open an issue if you'd like credit for the fix: https://github.com/splunk/splunk-reskit-powershell
The toolkit is open source, and in need of refactoring to use our v2 .NET SDK. Chip in if that's something you're interested in helping with.
Great troubleshooting, by the way!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response. Although this doesn't change my situation, you did answer my question - marking this as the answer.
I would submit a PR, but my change lacks the context of the larger use of Invoke-HTTPPost; I think its too narrow-sighted. Instead, we will move forward by implementing our own version of New-SplunkIndex using HTTP against the REST API.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just checked out the code and confirmed the bug. I created an issue to track this as well: https://github.com/splunk/splunk-reskit-powershell/issues/13
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Makes sense. I do hope we come back to this project for a refresh. Adding a reminder for myself to look into it.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
