Spread our blog

Things We Can Do In Splunk Using The REST Command

Application Programming Interface (API), it’s basically code that allows two software programs to communicate with each other.There are different kinds of API,but when we hear people talk about Google API or Instagram API etc, basically they are talking about REST API. REST API works pretty much the same way a website does. You make a call from a client to a server and you get data back over HTTP protocol.

In case of Splunk REST API whatever we do functionality wise or in Splunk web is can be achievable by REST API. In fact the Splunk web whatever they do they internally call REST API. In Splunk to work with REST API successfully, we need an end-point, it is nothing but a URL which will be hitting by passing some required parameters to that API to work so that URL is called end point. In Splunk each object has their own end-point to work with.

Now there are two ways that we can build an end-point URL, either by servicesNS or with services. Whenever we will maintain a user and application context then we will go with servicesNS, other than anything we will go with services

Let’s take an example there are a search end-point call search/jobs, which is mainly allow you to create a search. Here you can use it in two possible ways.

|rest /services/search/jobs


|rest /servicesNS/admin/search/search/jobs 
(here admin and search are my user and application respectively)

Until now we have given you a best possible introduction on Splunk REST API. Now we are going to discuss some of the regular and very useful use cases  that can be solved very easily in Splunk through REST API. So let’s start.

1. Access Saved search jobs

| rest /services/search/jobs | search isSaved=1


2. List of all users according to their roles

|rest /services/authentication/users
|table title,roles


3. User logged in details

|rest /services/authentication/users 
|fields eai:acl.sharing email id last_successful_login password 
|eval last_successful_login=strftime(last_successful_login,"%Y-%m-%d:%H-%M-%S") 
|rename eai:acl.sharing as user


4. List current active users

| rest splunk_server=local /services/authentication/current-context 
| rename username as auth_user_id 
| fields auth_user_id


5. All triggered alert details

|rest /services/alerts/fired_alerts 
|fields eai:acl.owner title triggered_alert_count splunk_server


6.Details of those log files are being monitored in Splunk

| rest /services/data/inputs/all
| table title source sourcetype index


7. Owner of  dashboards and Reports

| rest /services/data/ui/views
| table author title eai:acl.app eai:type
| rename eai:type as Type
| append
    [| rest /services/saved/searches
    | table author title eai:acl.app
    | eval Type="SavedSearch/Report"]
| rename author as Owner title as Name eai:acl.app as AppName


8. Today’s license usage details

| rest /services/licenser/pools


9.Check Application or Add-ons version

| rest /services/apps/local
|fields label  author version description
|rename label as AppName


10.See all the macros expanded query

| eval config="macros" 
|fields config author definition title


11.Number of current logged in users in the Cluster environment

| rest /servicesNS/-/-/authentication/httpauth-tokens splunk_server=mymaster.company.corp
|search NOT userName="admin" searchId=""
|stats dc(userName) AS count

Hope you have enjoyed this blog, we will come back with new topics of Splunk. Until then goodbye and stay safe and strong.

Happy Splunking!!

What’s your Reaction?

Spread our blog


Please enter your comment!
Please enter your name here