topic learn splunk rest interface in Getting Data In

learn splunk rest interface

cevyn — Tue, 04 Oct 2016 16:48:09 GMT

I have tried multiple time to get my hands around this API. I have read through the tutorials multiple times and yes what the examples say works. However I'm trying to learn how to ask "I need this item from the REST Interface" How do I figure out how to do that via the REST Interface?

Just back from .conf 2016 and had hoped to find help there but without success for this.

If I ask someone how to get X from REST - they say use this command to pull X.
When I ask how they figured it out they say I got the command from someone else because the rest API is so cryptic.

A good doc to teach rather than offer 2-3 examples would be much appreciated. If it exists please point me at it!

Re: learn splunk rest interface

frobinson_splun — Tue, 04 Oct 2016 17:41:35 GMT

Hi @cevyn,
I'd like to help with some of your questions. To start, are you familiar with using other REST APIs for create/read/update/delete type operations? Have you used a client or cURL before? Our docs don't cover this kind of general information, but if you can provide more details about your situation, I can suggest some resources.

Re: learn splunk rest interface

cevyn — Tue, 04 Oct 2016 18:00:46 GMT

So for example try working in reverse order. Through conversations with peers I found I could add this to a dashboard to get what indexers had listening turned off:
| rest /services/configs/conf-inputs | search title="tcp" AND disabled=1 | stats count by title,splunk_server | eventstats count

SO I'm not worried about access via curl. That is not my question.

I would love to see a document that walks me through from the existing doc how I might research to find that tidbit of information. I'm giving one example but what I'm seeking is learning method rather than a 100 tribal knowledge tidbits. Teach me the mathematical proof rather than 100 examples of the calculation of area of a triangle, if I can use that weak metaphor.

Re: learn splunk rest interface

frobinson_splun — Tue, 04 Oct 2016 18:14:06 GMT

Hi again @cevyn,
Posting this as an answer now that I have more details on what you need. I would start by checking out the following resources in our docs.

URI quick reference: lists available endpoints
http://docs.splunk.com/Documentation/Splunk/6.5.0/RESTREF/RESTlist

Resource group listing here gives you a high-level sense of how the endpoints are organized into groups for managing or accessing different things:
http://docs.splunk.com/Documentation/Splunk/6.5.0/RESTREF/RESTprolog

And from there, you could explore the different endpoint resource group topics to review what endpoints are available in each and what operations you can do with each endpoint. As a note, endpoints support one or more of these operations: GET/POST (for create and update)/DELETE.
For example, here's the latest version of our configuration resource group topic:
http://docs.splunk.com/Documentation/Splunk/6.5.0/RESTREF/RESTconf

Each endpoint has a brief description of its purpose and the resources it represents, and then you can review parameter and returned value details for each operation. Every endpoint also includes an example request and response for each operation that it supports.

I would recommend exploring these topics to get more familiar with the Splunk REST API. It might take some time to get used to it, but you should be able to find the information you need.

The other thing I would recommend is reviewing the configuration spec files in our Admin manual. Configuration files represent many system resources and settings.

The REST API and configuration files are closely related. For example, the REST command you mention above involves editing inputs.conf. In order to use the REST API to edit this file, you would also need to know what you can configure in it. Review the spec file to learn more.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf

Then, you could use the /configs/conf-{file} or /conf-{file}/{stanza} endpoints to make updates to inputs.conf.

Hope this helps!