Using Splunk Enterprise 6.2.1 along with the latest version of the splunk-reskit-powershell toolkit, I (and others on my team with local installations of Splunk Enterprise) are having trouble automating the creation of an index using New-SplunkIndex
. The code looks something like this:
Import-Module Splunk
Disable-CertificateValidation
Connect-Splunk -ComputerName $env:COMPUTERNAME -Protocol https -Port 8089
New-SplunkIndex -Name test
The error message:
Invoke-HTTPPost : Exception calling "GetResponse" with "0" argument(s): "The remote server returned an error: (400) Bad Request."
Using verbose output, we get this response:
<response>
<messages>
<msg type="ERROR">
In handler 'indexes': Argument "search" is not supported by this handler.</msg>
</messages>
</response>
Digging into the verbose output, we can see the data being POST'ed to the Splunk endpoint:
VERBOSE: [Invoke-HTTPPost] :: $PostString = search=&name=test
We were able to dig into Splunk-Core.psm1, modify the Invoke-HttpPost
function, and get past this error. We did so by essentially commenting out line 224.
Based on our limited research, it seems like the core Invoke-HTTPPost
method always includes a search
value within message body being POST'ed; however, the REST endpoint for creating a new index rejects the search
parameter.
Is there a different way we should be using the toolkit to create an index, or is this a bug within the toolkit itself?
It is a bug (created issue #13). Submit a pull request or open an issue if you'd like credit for the fix: https://github.com/splunk/splunk-reskit-powershell
The toolkit is open source, and in need of refactoring to use our v2 .NET SDK. Chip in if that's something you're interested in helping with.
Great troubleshooting, by the way!
It is a bug (created issue #13). Submit a pull request or open an issue if you'd like credit for the fix: https://github.com/splunk/splunk-reskit-powershell
The toolkit is open source, and in need of refactoring to use our v2 .NET SDK. Chip in if that's something you're interested in helping with.
Great troubleshooting, by the way!
Thanks for the response. Although this doesn't change my situation, you did answer my question - marking this as the answer.
I would submit a PR, but my change lacks the context of the larger use of Invoke-HTTPPost
; I think its too narrow-sighted. Instead, we will move forward by implementing our own version of New-SplunkIndex
using HTTP against the REST API.
Just checked out the code and confirmed the bug. I created an issue to track this as well: https://github.com/splunk/splunk-reskit-powershell/issues/13
Makes sense. I do hope we come back to this project for a refresh. Adding a reminder for myself to look into it.