topic Re: Rest search command query a separate Splunk instance in Splunk Search

Rest search command query a separate Splunk instance

rdownie — Wed, 28 Aug 2013 00:36:22 GMT

I have a need to be able to do a search in the Splunk UI using the Rest search command against a completely different instance of Splunk. I see the options allow you to specify a splunk server, is that only within your splunk environment? I don't see a mechanism to include a username or password. I know you can do this with the Rest API utilizing python but would like to be able to pull directly from the Splunk interface without writing an external command to do it. Any ideas?
Thanks,
-Bob

Re: Rest search command query a separate Splunk instance

HiroshiSatoh — Wed, 28 Aug 2013 04:41:15 GMT

What about in the "Distributed search"?

Re: Rest search command query a separate Splunk instance

Ayn — Wed, 28 Aug 2013 07:25:50 GMT

Nope, you can't query non-related Splunk instances from the web interface - unless you write your own custom command for doing something like that. You can, obviously, query Splunk instances that have been added as search peers, though.

Re: Rest search command query a separate Splunk instance

rdownie — Wed, 28 Aug 2013 10:26:53 GMT

Thanks, that is what I suspected. Unfortunately the Splunk instance is embedded in a product that only allows you accees through Rest. I guess using python to write a command through the Rest API is the best option.

Re: Rest search command query a separate Splunk instance

rdownie — Wed, 28 Aug 2013 10:29:52 GMT

Unfortunately, I don't believe I can add the other Splunk instance as a search peer.

Re: Rest search command query a separate Splunk instance

Damien_Dallimor — Wed, 28 Aug 2013 12:01:47 GMT

You can use the REST API Modular Input to poll data from any REST endpoint , including remote Splunk instances.

Re: Rest search command query a separate Splunk instance

HiroshiSatoh — Wed, 28 Aug 2013 13:35:46 GMT

It I wanted to try because I can set from the GUI.

Re: Rest search command query a separate Splunk instance

bmacias84 — Mon, 09 Jun 2014 22:40:26 GMT

This is very unfortunate, since the SOS app uses it for licensing. Licenser is not a part of search pool.

Re: Rest search command query a separate Splunk instance

tweaktubbie — Wed, 11 May 2016 07:37:44 GMT

App has moved (URL) 😉 I'm wondering if there's an equivalent of all the curl solutions in a search query format - not from the CLI but the UI, as I have more or less the same question as topicstarter.

On my webinterface of the heavy forwarder, I'd like to run a (remote) saved search on the search head, to check for the license usage and if >99% stop the heavy forwarding mechanism. This works fine on my testing environment with a single instance machine performing all splunk functionalities on 1 machine.
I can run a CLI sh file connecting and executing the search, but a security issue is I have to plain text include admin:password in the file as every splunk server has its own credentials. Also, on the production environment I don't want to create scripts on the commandline; the general idea is to keep all in the UI and saved searches and prevent prompt access to files.

So in brief: does something like "| rest endpoint=searchheaduriorname:8089 | search /services/somequeryremotely" exist, or is it intentionally or not made available with REST?