Things We Can Do In Splunk Using The REST Command

Things We Can Do In Splunk Using The REST Command

Application Programming Interface (API), it’s basically code that allows two software programs to communicate with each other.There are different kinds of API,but when we hear people talk about Google API or Instagram API etc, basically they are talking about REST API. REST API works pretty much the same way a website does. You make a call from a client to a server and you get data back over HTTP protocol.

In case of Splunk REST API whatever we do functionality wise or in Splunk web is can be achievable by REST API. In fact the Splunk web whatever they do they internally call REST API. In Splunk to work with REST API successfully, we need an end-point, it is nothing but a URL which will be hitting by passing some required parameters to that API to work so that URL is called end point. In Splunk each object has their own end-point to work with.

Now there are two ways that we can build an end-point URL, either by servicesNS or with services. Whenever we will maintain a user and application context then we will go with servicesNS, other than anything we will go with services

Let’s take an example there are a search end-point call search/jobs, which is mainly allow you to create a search. Here you can use it in two possible ways.

|rest /services/search/jobs

<OR>

|rest /servicesNS/admin/search/search/jobs 
(here admin and search are my user and application respectively)

Until now we have given you a best possible introduction on Splunk REST API. Now we are going to discuss some of the regular and very useful use cases  that can be solved very easily in Splunk through REST API. So let’s start.

1. Access Saved search jobs
Solution:

| rest /services/search/jobs | search isSaved=1

1

2. List of all users according to their roles
Solution:

|rest /services/authentication/users
|table title,roles

2

3. User logged in details
Solution:

|rest /services/authentication/users 
|fields eai:acl.sharing email id last_successful_login password 
|eval last_successful_login=strftime(last_successful_login,"%Y-%m-%d:%H-%M-%S") 
|rename eai:acl.sharing as user

3

4. List current active users
Solution:

| rest splunk_server=local /services/authentication/current-context 
| rename username as auth_user_id 
| fields auth_user_id

4

5. All triggered alert details
Solution:

|rest /services/alerts/fired_alerts 
|fields eai:acl.owner title triggered_alert_count splunk_server

5

6.Details of those log files are being monitored in Splunk
Solution:

| rest /services/data/inputs/all
| table title source sourcetype index

6

7. Owner of  dashboards and Reports
Solution:

| rest /services/data/ui/views
| table author title eai:acl.app eai:type
| rename eai:type as Type
| append
    [| rest /services/saved/searches
    | table author title eai:acl.app
    | eval Type="SavedSearch/Report"]
| rename author as Owner title as Name eai:acl.app as AppName

7

8. Today’s license usage details
Solution:

| rest /services/licenser/pools

8

9.Check Application or Add-ons version
Solution:

| rest /services/apps/local
|fields label  author version description
|rename label as AppName

9

10.See all the macros expanded query
Solution:

|rest/services/configs/conf-macros
| eval config="macros" 
|fields config author definition title

10

11.Number of current logged in users in the Cluster environment
Solution:

| rest /servicesNS/-/-/authentication/httpauth-tokens splunk_server=mymaster.company.corp
|search NOT userName="admin" searchId=""
|stats dc(userName) AS count

Hope you have enjoyed this blog, we will come back with new topics of Splunk. Until then goodbye and stay safe and strong.

Happy Splunking!!

You can also know about :  How To Find The Missing Data In Inventory But Present In Index And Vice Versa

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.