We have successfully POSTed to our custom endpoint and modified the roles of a user in Splunk.
How did this work?
If you look back in the custom_endpoint.py file you will see that it has hardcoded values that simply POST the data, which results in an automatic role change. If you wanted to change your user back to the user role only instead of user and admin then you would need to change the following line in your custom_endpoint.py file:
Then go back to the /send custom endpoint and it will change the user role. Of course, this is only for testing purposes and wouldn’t be very efficient at changing our user’s roles. Next, we will be working to automate this process.
A Dose of Reality
At this point you may be wondering why we are creating a custom endpoint for another endpoint that already exists. As a real life example, this is probably overkill, since we could just open up /services/admin/users/<user> to allow us to POST to it directly. However, even going with that approach we should be mindful of any potential security concerns that may pose. Realistically, if a pre-existing endpoint doesn’t allow you to POST to it it’s probably worth taking a moment to consider why.
Creating Our Dashboard
Now that we know we can post to it, let’s create a basic form in the Splunk user interface (UI).
Next, we’ll create our dashboard. If you’re interested, check out the screencast for Setting up the dashboard here. In Splunk’s UI go into the Search and Reporting app, click ‘Dashboards’ in the top menu and then click ‘Create New Dashboard’. Fill out the form to create your new dashboard. You can call it whatever you like. I am calling mine “Custom Endpoint”.
Once you’ve created your new dashboard click on ‘Edit’ < ‘Edit Source’ and replace the Simple XML with the following:
We haven’t created our custom_endpoint.js file but we will do that here shortly. Save your changes. Your dashboard should look like this: