- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Is it possible to create job with other user restr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to create job with other user restriction in splunk js sdk ?
I'm trying to create job connecting as admin with other user restriction.
I have created user 'weak', user 'weak' can't search on internal indexes. The restriction created with role.
I tried changing the namespace in job creation:
const splunkjs = require('splunk-sdk');
const service = new splunkjs.Service({
scheme: "https",
host: "myhost",
port: "8089",
username: "admin",
password: "mypass",
version: "default"
});
let params = {
search: "search index=_internal | table *",
exec_mode: "normal",
earliest_time: "1551391200",
latest_time: "1554199680",
adhoc_search_level: "fast"
}
let namepace = {
owner: "weak",
app: "search"
}
service.jobs(namespace).create(params.search, params, function (err, job) {
if (err) {
console.log(err);
return;
}
}
I also tried using namespace with servicesNS:
const splunkjs = require('splunk-sdk');
const service = new splunkjs.Service({
scheme: "https",
host: "myhost",
port: "8089",
username: "admin",
password: "mypass",
version: "default"
});
let params = {
search: "search index=_internal | table *",
exec_mode: "normal",
earliest_time: "1551391200",
latest_time: "1554199680",
adhoc_search_level: "fast"
}
let user = "weak";
service.post("/servicesNS/" + user + "/search/search/jobs", params, function (err, response) {
if (err) {
console.log(err);
return;
}
}
When i inspect the job in the Splunk UI the owner is always admin, and not weak.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There doesn't seem to be a way to do it using the search/jobs endpoint. However, you can do this with a saved search.
- Create a saved search owned by the admin with the query and settings you need run.
- POST to the
saved/searches/{name}/dispatchendpoint to execute the search, making sure to set thedispatchAsparameter to the name of your user (i.e. weak from your question above).
This should execute the saved search as the specified user and return the sid which you can use to retrieve the results.
The big hole in this solution is you need to know the search query to use for the saved search ahead of time so it can be created. If that's a problem and you really need to be able to create adhoc searches that run as a different user, you can also take a look at the args parameter of the above saved searches endpoint which allows you to specify different args.{name} parameters and use them in a token style syntax of the search (i.e. search index=$args.index$).
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
