Security

Splunk API: What type of object needs to be passed along with my key/value pair via PowerShell to update the 'srchIndexesAllowed" setting for a user role?

amirofmn
Explorer

Hello,

Been suck trying to figure out what type of object needs to be passed along with my key/value pair, in PowerShell, to update the 'srchIndexesAllowed' setting for a user role. Below is the code I've been using but the updates haven't applied correctly. What I'm attempting to do is remove a specific index from the values, then apply the remaining values back to 'srchIndexesAllowed'.

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization","Splunk $sessionKey")
$UserRole_Get_Response = Invoke-RestMethod -Method Get -Uri "$base_url/services/authorization/roles/test_user_role" -Headers $headers
$UserRole_Get_Response_List = $UserRole_Get_Response.content.dict | ForEach-Object {$_.key} | Where-Object {$_.name -contains "srchIndexesAllowed"}
$arrUserRole_srchIndexesAllowed = @($UserRole_Get_Response_List.list.item)

# Remove index from role
$arrUserRole_srchIndexesAllowed = $arrUserRole_srchIndexesAllowed | Where-Object {$_ -ne "index2remove"}
$body_post = @{
    srchIndexesAllowed="$arrUserRole_srchIndexesAllowed"
}

# Apply update
$UserRole_Post_Response = Invoke-RestMethod -Method Post -Uri "$base_url/services/authorization/roles/test_user_role" -Headers $headers -Body $body_post

Unfortunately it ends up applying the remaining values as a single long string which doesn't work. This can be seen via https://splunk_server:8089/services/authorization/roles/test_user_role

Before:
1. main
2. test
3. index2remove

After:
1. main test

Checking to see if anyone else in the community has successfully passed multiple values for a key to Splunk's API via PowerShell.

Thanks!

Tags (4)
1 Solution

amirofmn
Explorer

So I figured out the solution.

I basically remove the '$body_post' portion of the script and replaced with a for-loop to create a single string with the following pattern, srchIndexesAllowed=main&srchIndexesAllowed=test and saved it to a new variable. Then updated the Invoke-RestMethod call to include the new variable and everything updated successfully. 🙂

View solution in original post

amirofmn
Explorer

So I figured out the solution.

I basically remove the '$body_post' portion of the script and replaced with a for-loop to create a single string with the following pattern, srchIndexesAllowed=main&srchIndexesAllowed=test and saved it to a new variable. Then updated the Invoke-RestMethod call to include the new variable and everything updated successfully. 🙂

halr9000
Motivator

I converted your comment to an answer so that you get internet points. 🙂

amirofmn
Explorer

Thanks! 🙂

0 Karma

acharlieh
Influencer

Comment because I haven't tried it out yet, but are you passing the remaining indexes back as a semicolon delineated list? That's the format of that property in authorize.conf

0 Karma

amirofmn
Explorer

Great thought. I did try, not per the code about, to pass in a string object where the values were delimited by a semicolon and while the authorize.conf did update per the normal format, it didn't quite apply correctly. Via the web-service the new setting looked like: 1. main;test

0 Karma

halr9000
Motivator

Any reason you are using System.Collections.Generic.Dictionary[[String],[String]]? I've not tried this before, but the first thing I'd do is to see if a regular array works. The problem is likely related to the magic array unrolling that PowerShell likes to do, bit I'm not certain.

0 Karma

amirofmn
Explorer

That particular line of code was just for the headers to pass in the session authentication key. The -headers parameter, for Invoke-RestMethod cmdlet, requires a hash key or dictionary object. It can be replaced with a @{} to accomplish the same thing.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...