Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Assign the correct role to the index created using the Splunk API

paduka
Path Finder
‎08-07-2014 11:07 AM

We want to automate the index creation process so that we don't have to manually create the index before indexing the data to Splunk.

We created the index using the command curl -k -u : //indexer:port/servicesNS///data/indexes -d name=
and the index was created without a restart.

However, after the index is created we wanted to assign the correct role to the index so that it is
a: searchable by default
b: add it to indexes under authorization

We can do it using the gui but wanted to automate it so that we can either do it from the command line or using a script.

Can anyone suggest how they have handled automatic index creation in the past?

Tags (2)
Reply

Lowell
Super Champion
‎08-07-2014 12:52 PM

Great question. So roles are not assigned to indexes, each role can have a list of indexes that it's allowed to access and a list of indexes to search by default.

So you'll have to add your new index to a role (not the other way around).

The endpoint for doing this will be in the following form:

https://<splunk_server>:8089/servicesNS/<user>/<app>/authorization/roles/<role>;

Specifically take note of srchIndexesAllowed and srchIndexesDefault.

You'll probably want to do this in two steps. First GET the current values for these two attributes, put them in a temporary variable, add your new index to the list, and the update the value in Splunk via a POST. Otherwise you may remove existing indexes from your roles, which would be bad.

Testing this in a safe environment first is recommended. 😉

Reply

paduka
Path Finder
‎08-07-2014 05:12 PM

I tried doing it through the temporary variable and am getting the error "

In handler 'roles': Argument "</s:key> <s:key name" is not supported by this handler.

"

0 Karma
Reply

paduka
Path Finder
‎08-07-2014 04:45 PM

I am new to using rest APIs. Can you please let me know what would be the content of the temporary variable and what command should work?
I tried using - curl -k -u user:password -X POST --data '/s:keytest/s:item/s:list /s:key' \https://127.0.0.1:8089/servicesNS/admin/search/authorization/roles/admin - but it didn't work.
Thanks a lot!

0 Karma
Reply

paduka
Path Finder
‎08-07-2014 01:21 PM

Thanks a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...