From c45ef60ed23019e6afeffe383ac698c71ae463b1 Mon Sep 17 00:00:00 2001 From: Tamara Buch Date: Thu, 28 May 2026 15:51:18 -0500 Subject: [PATCH 1/3] update URI to nobody context --- src/UofISplunkCloud/functions/public/Export-SplunkData.ps1 | 2 +- src/UofISplunkCloud/functions/public/Update-SplunkLookup.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/UofISplunkCloud/functions/public/Export-SplunkData.ps1 b/src/UofISplunkCloud/functions/public/Export-SplunkData.ps1 index 18b1f20..c9c6333 100644 --- a/src/UofISplunkCloud/functions/public/Export-SplunkData.ps1 +++ b/src/UofISplunkCloud/functions/public/Export-SplunkData.ps1 @@ -62,7 +62,7 @@ function Export-SplunkData { } #Set the Base URI depending on whether or not an app was specified If($App){ - $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/servicesNS/$($Credential.UserName)/$($App)" + $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/servicesNS/nobody/$($App)" } Else{ $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/services" diff --git a/src/UofISplunkCloud/functions/public/Update-SplunkLookup.ps1 b/src/UofISplunkCloud/functions/public/Update-SplunkLookup.ps1 index 84a2bab..d5afffb 100644 --- a/src/UofISplunkCloud/functions/public/Update-SplunkLookup.ps1 +++ b/src/UofISplunkCloud/functions/public/Update-SplunkLookup.ps1 @@ -33,7 +33,7 @@ function Update-SplunkLookup { process { #Set the Base URI depending on whether or not an app was specified If($App){ - $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/servicesNS/$($Credential.UserName)/$($App)" + $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/servicesNS/nobody/$($App)" } Else{ $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/services" From 3432bead382b9b397c094dec7b6ae2a8b8feee8b Mon Sep 17 00:00:00 2001 From: Tamara Buch Date: Thu, 28 May 2026 15:52:28 -0500 Subject: [PATCH 2/3] changelog++ --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f96fe72..8fdcd28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Removed +## [1.1.7] - 2026-05-28 + +### Changed + +- Export-SplunkData & Update-SplunkLookup: + - Updated Splunk REST search job creation to use the shared app namespace (servicesNS/nobody/) instead of the authenticated user namespace. This avoids severe latency caused by user-specific namespace resolution while preserving app-context search behavior. + ## [1.1.6] - 2026-03-04 ### Changed From 1e4d25d85a7c65299bae070884b92a5408e49eca Mon Sep 17 00:00:00 2001 From: Tamara Buch Date: Thu, 28 May 2026 16:15:11 -0500 Subject: [PATCH 3/3] useprivatecontext --- .../functions/public/Export-SplunkData.ps1 | 13 +++++++++++-- .../functions/public/Update-SplunkLookup.ps1 | 13 +++++++++++-- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/src/UofISplunkCloud/functions/public/Export-SplunkData.ps1 b/src/UofISplunkCloud/functions/public/Export-SplunkData.ps1 index c9c6333..c8e5591 100644 --- a/src/UofISplunkCloud/functions/public/Export-SplunkData.ps1 +++ b/src/UofISplunkCloud/functions/public/Export-SplunkData.ps1 @@ -27,6 +27,8 @@ Specifies the number of results to return for each Page offsetting by this amount for each Page. Maximum value is 50,000 .PARAMETER MaxResults Use this parameter if the number of results you want returned is greater than 50000. Sets the number of maximum results to return. You must specify an Offset with this parameter. +.PARAMETER UsePrivateContext + Uses the authenticated user's namespace instead of the shared app namespace (nobody). Required for user-private knowledge objects such as private macros, lookups, or saved searches. .EXAMPLE Export-SplunkData -CloudDeploymentName 'illinois' -Search 'index=test test_event' -Credential $Credential -ConsoleOutput -EarliestTime '-15m' .EXAMPLE @@ -52,7 +54,8 @@ function Export-SplunkData { [String]$LatestTime, [ValidateRange(1,50000)] [int]$Offset, - [int]$MaxResults + [int]$MaxResults, + [switch]$UsePrivateContext ) process { @@ -62,7 +65,13 @@ function Export-SplunkData { } #Set the Base URI depending on whether or not an app was specified If($App){ - $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/servicesNS/nobody/$($App)" + If($UsePrivateContext){ + $User = $Credential.UserName + } + Else{ + $User = 'nobody' + } + $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/servicesNS/$($User)/$($App)" } Else{ $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/services" diff --git a/src/UofISplunkCloud/functions/public/Update-SplunkLookup.ps1 b/src/UofISplunkCloud/functions/public/Update-SplunkLookup.ps1 index d5afffb..45e12bf 100644 --- a/src/UofISplunkCloud/functions/public/Update-SplunkLookup.ps1 +++ b/src/UofISplunkCloud/functions/public/Update-SplunkLookup.ps1 @@ -13,6 +13,8 @@ Path to the CSV that will replace the lookup at the lookup name provided ie '.\test_2022-14-03.csv' .PARAMETER App Specify the Splunk app to use if required ie 'illinois-urbana-security-techsvc-APP' +.PARAMETER UsePrivateContext + Uses the authenticated user's namespace instead of the shared app namespace (nobody). Required for user-private knowledge objects such as private macros, lookups, or saved searches. .EXAMPLE Update-SplunkLookup -Credential $Credential -CloudDeploymentName 'illinois' -LookupName 'test.csv' -NewCSVPath '.\test_2022-14-03.csv' -App 'illinois-urbana-security-techsvc-APP' #> @@ -27,13 +29,20 @@ function Update-SplunkLookup { [String]$LookupName, [Parameter(Mandatory=$true)] [String]$NewCSVPath, - [String]$App + [String]$App, + [switch]$UsePrivateContext ) process { #Set the Base URI depending on whether or not an app was specified If($App){ - $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/servicesNS/nobody/$($App)" + If($UsePrivateContext){ + $User = $Credential.UserName + } + Else{ + $User = 'nobody' + } + $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/servicesNS/$($User)/$($App)" } Else{ $BaseURI = "https://$($CloudDeploymentName).splunkcloud.com:8089/services"