topic Re: Splunk Add-on for Amazon Web Services: How can I access the REST API and find out what are the allowed operations for the add-on? in All Apps and Add-ons

Splunk Add-on for Amazon Web Services: How can I access the REST API and find out what are the allowed operations for the add-on?

Igor1984 — Wed, 19 Apr 2017 09:19:42 GMT

Hi,

We are currently planing an automated deployment of Splunk our VPCs on AWS. To do this, we need to configure the Splunk Add-on for Amazon Web Services via API. So, it would be great if we could see the documentation for the API.
So the question is: How can I access the REST API and find out what are the allowed operations for the Splunk Add-on for Amazon Web Services?

Thanks,
Igor

Re: Splunk Add-on for Amazon Web Services: How can I access the REST API and find out what are the allowed operations for the add-on?

asf_stripe — Fri, 26 Jan 2018 10:10:40 GMT

I just had the same problem as you, and I found this endpoint: https://localhost:8089/servicesNS/nobody/Splunk_TA_aws

I am poking around this endpoint with curl and jq, which I've defined this handy shell function for: req() {curl -ku admin:changeme "$1?output_mode=json" | jq -C . | less -R} (of course, you'll have to adjust the admin/changeme passwords to suit your deployment).

Then, req https://localhost:8089/servicesNS/nobody/Splunk_TA_aws to discover all the query endpoints that the AWS add-on REST api supports. You'll see, for example:

{ "name": "splunk_ta_aws_iam_roles", "id": "https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles", "updated": "2018-01-26T10:08:27+00:00", "links": { "alternate": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles", "create": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new", "list": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles", "_acl": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_acl" }, "author": "system", "acl": { "app": "", "can_list": true, "can_write": true, "modifiable": false, "owner": "system", "perms": null, "removable": false, "sharing": "system" }, "content": { "eai:acl": null } },

The links section here takes you to other endpoints that you can use, and you can, for example, make a GET request on the "create" endpoint to figure out the parameters that it takes.

As a side note, I'm pretty sure there are no guarantees on backwards/forwards-compatibility here, but I super feel your pain re. having to set up machines automatically, so it looks like this is the best way to set things up automatically for now.

Re: Splunk Add-on for Amazon Web Services: How can I access the REST API and find out what are the allowed operations for the add-on?

asf_stripe — Fri, 26 Jan 2018 13:13:30 GMT

One additional note that tripped me up: To create an object, you POST to the plain endpoint, not the one ending in /_new, so for example POST https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles - not POST https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new!

Re: Splunk Add-on for Amazon Web Services: How can I access the REST API and find out what are the allowed operations for the add-on?

drutstein — Tue, 29 Sep 2020 18:10:25 GMT

Check out the tools found in Splunk_TA_aws/bin/tools/configure. This will provide you with a CLI approach to add IAM roles by using your custom-created JSON files for your configurations.

You can run something like the following:

/opt/splunk/bin/splunk cmd python aws_config_cli.py iam-role create --config-file description_input.json --hostname localhost

This will expect your description_input.json file and a separate splunk-info.json file that contains your authentication information. Unfortunately it doesn't look like you can specify a file/location name for splunk-info.json so it needs to reside in the same directory as the aws_config_cli.py script.

Re: Splunk Add-on for Amazon Web Services: How can I access the REST API and find out what are the allowed operations for the add-on?

mcluver — Sat, 06 Oct 2018 03:57:10 GMT

I was provided some specific documentation on this REST API, you may find this helpful: http://splunkservices.io/downloads/PROD-AWSAdd-on4.0.0ConfigurationRESTAPIReference-210417-1515-50.pdf

I'm planning to make a Terraform provider for this API at some point, as I suspect many may find it helpful.

Re: Splunk Add-on for Amazon Web Services: How can I access the REST API and find out what are the allowed operations for the add-on?

we553 — Thu, 05 Mar 2020 10:54:23 GMT

@mcluver any chance you have the update URL on where this documentation moved to?

I am currently working on automating adding our accounts into the AWS addon as well as keeping the accounts up to date and having some trouble. I think this info would help. Thanks!