topic Re: Need a help with posting data using Rest API's from one Splunk to another in Getting Data In

Need a help with posting data using Rest API's from one Splunk to another

satyaallaparthi — Thu, 18 Jul 2019 01:53:27 GMT

Hello,

I have my own Splunk where I installed SPLUNK ES
and I just got the Search head access from somebody's SPLUNK where I can Create alerts ( no backend Access). Just to see data and create Knowledge objects.

I want to create an alert is 3rd party Splunk and in alert actions I want to use WEBHOOK action and need to give the Splunk rest API to post the alert data into my Search head where I installed ES as a notable events.

how should I post the alert data using rest api from 3rd party Splunk where I got the only UI access to my SPLUNK ES?
how to create an Index using rest API post ?

Thanks in advance..any help would be appreciated..

Re: Need a help with posting data using Rest API's from one Splunk to another

jkat54 — Thu, 18 Jul 2019 11:55:03 GMT

Ok to help clarify...

You want to use webhook to post a notable to ES from another search head that is not ES.

You also do not have admin access on the non-ES SH.

Is this correct?

Re: Need a help with posting data using Rest API's from one Splunk to another

starcher — Thu, 18 Jul 2019 14:55:24 GMT

Have a search that finds what you want to send and send it to the other instance via HEC for indexing.Then you can further search and alert or make notables in the receiving instance. A working TA you can use or rip apart and do your own.
https://splunkbase.splunk.com/app/3508/

Re: Need a help with posting data using Rest API's from one Splunk to another

satyaallaparthi — Thu, 18 Jul 2019 15:14:48 GMT

Can you please explain me little clear..

I really don't know what permissions I will get for that Instance.. might be only Power user where I can just create an alert.. but not the permission to install apps cause that is in our cyber defense center.

That is the reason why I want to post via splunk rest where I can keep that in webhook alert action.

Can I do that ?

Re: Need a help with posting data using Rest API's from one Splunk to another

satyaallaparthi — Thu, 18 Jul 2019 15:26:11 GMT

Yes, You are absolutely correct.. I will have the permissions to create an alert actions where I want to keep splunk rest in webhook.

Thanks,

Re: Need a help with posting data using Rest API's from one Splunk to another

jkat54 — Thu, 18 Jul 2019 16:33:05 GMT

He's saying that you setup HEC on a splunk instance, and use the webhook feature to post to the HEC. You will control the HEC on your end.

Re: Need a help with posting data using Rest API's from one Splunk to another

jkat54 — Thu, 18 Jul 2019 16:33:59 GMT

https://answers.splunk.com/answers/345295/wrap-a-webhook-for-use-with-http-event-collector.html

Re: Need a help with posting data using Rest API's from one Splunk to another

satyaallaparthi — Fri, 19 Jul 2019 12:52:47 GMT

But unfortunately, that is not my criteria.. I want to create alert as a notable event in my ES via via splunk rest end points..

Re: Need a help with posting data using Rest API's from one Splunk to another

satyaallaparthi — Fri, 19 Jul 2019 12:54:53 GMT

But unfortunately, that is not my criteria.. I want to create, alert as a notable event in my ES via splunk rest end points..and I want to know what is the rest end that I can use in webhook.

Re: Need a help with posting data using Rest API's from one Splunk to another

satyaallaparthi — Fri, 19 Jul 2019 15:15:41 GMT

how to add the rest in webhook using HEC...what rest I should add ?