Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Assign the correct role to the index created using the Splunk API

paduka
Path Finder
‎08-07-2014 11:07 AM

We want to automate the index creation process so that we don't have to manually create the index before indexing the data to Splunk.

We created the index using the command curl -k -u : //indexer:port/servicesNS///data/indexes -d name=
and the index was created without a restart.

However, after the index is created we wanted to assign the correct role to the index so that it is
a: searchable by default
b: add it to indexes under authorization

We can do it using the gui but wanted to automate it so that we can either do it from the command line or using a script.

Can anyone suggest how they have handled automatic index creation in the past?

Tags (2)
Reply

Lowell
Super Champion
‎08-07-2014 12:52 PM

Great question. So roles are not assigned to indexes, each role can have a list of indexes that it's allowed to access and a list of indexes to search by default.

So you'll have to add your new index to a role (not the other way around).

The endpoint for doing this will be in the following form:

https://<splunk_server>:8089/servicesNS/<user>/<app>/authorization/roles/<role>;

Specifically take note of srchIndexesAllowed and srchIndexesDefault.

You'll probably want to do this in two steps. First GET the current values for these two attributes, put them in a temporary variable, add your new index to the list, and the update the value in Splunk via a POST. Otherwise you may remove existing indexes from your roles, which would be bad.

Testing this in a safe environment first is recommended. 😉

Reply

paduka
Path Finder
‎08-07-2014 05:12 PM

I tried doing it through the temporary variable and am getting the error "

In handler 'roles': Argument "</s:key> <s:key name" is not supported by this handler.

"

0 Karma
Reply

paduka
Path Finder
‎08-07-2014 04:45 PM

I am new to using rest APIs. Can you please let me know what would be the content of the temporary variable and what command should work?
I tried using - curl -k -u user:password -X POST --data '/s:keytest/s:item/s:list /s:key' \https://127.0.0.1:8089/servicesNS/admin/search/authorization/roles/admin - but it didn't work.
Thanks a lot!

0 Karma
Reply

paduka
Path Finder
‎08-07-2014 01:21 PM

Thanks a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...