- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever wonder how to see the REST api calls splunk web is making to splunkd when you click around the web UI? There may be a specific task you are trying to perform via REST yet don't know the specific endpoint to hit for the REST api. You can do this through the web UI but are having trouble finding the right syntax for the REST api call?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- enable DEBUG for python in $SPLUNK_HOME/etc/log.cfg
[python]
splunk = DEBUG
splunk.appserver = DEBUG
splunk.appserver.controllers = DEBUG
at DEBUG level the proxy controller will log the contents of all requests and responses
this can be very verbose and is not recommended for production use
splunk.appserver.controllers.proxy = DEBUG
splunk.appserver.lib = DEBUG
splunk.pdfgen = DEBUG
restart splunk
$SPLUNK_HOME/bin
./splunk restart
Tail the web_service.log file in $SPLUNK_HOME/var/log/splunk/
tail -f web_service.log
Tail the splunkd_access.log file in $SPLUNK_HOME/var/log/splunk/
tail -f splunkd_access.log
Log in to the the web UI and generate the change you intend to discover.
In this example we are updating the LDAP Group Name mapping to splunk role to add a role (power) to the existing LDAP Group Name (splunk_test)
actions through the web UI:
Settings>Access Controls> Authentication Method>LDAP Settings>Map groups>click ldap group name > add or remove a role > Save.
Stop tailing the web_service.log and splunkd_access.log once your web UI actions are complete.
in web_service.log you will see the endpoint path and argument key/values passed:
web_service.log:
2015-11-05 20:01:55,759 DEBUG [563bfc036d7f3a387e2290] admin:1120 - endpoint_path:: admin/LDAP-groups/splunk_test.
2015-11-05 20:02:07,945 DEBUG [563bfc0fc77f3a3812f150] admin:989 - Saving Entity to namespace=launcher owner= endpoint_path=admin/LDAP-groups entity_name=splunk_test args={'splunk_form_key': u'3272919072636037471', 'f_ns': u'launcher', 'f_api.strategy': u'your_strategy_name', 'roles': [u'user', u'power']}
in splunkd_access.log you will see the POST similar to:
127.0.0.1 - admin [06/Nov/2015:13:20:52.702 -0500] "POST /servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test HTTP/1.0" 200 3909 - - - 56ms
Piecing this information together you can generate your curl command :
curl -k -u admin:changeme https://localhost:8089/servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test -d roles=user -d roles=power
Disable DEBUG for python in $SPLUNK_HOME/etc/log.cfg
[python]
splunk = INFO
splunk.appserver = INFO
splunk.appserver.controllers = INFO
at DEBUG level the proxy controller will log the contents of all requests and responses
this can be very verbose and is not recommended for production use
splunk.appserver.controllers.proxy = INFO
splunk.appserver.lib = INFO
splunk.pdfgen = INFO
restart splunk
$SPLUNK_HOME/bin
./splunk restart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- enable DEBUG for python in $SPLUNK_HOME/etc/log.cfg
[python]
splunk = DEBUG
splunk.appserver = DEBUG
splunk.appserver.controllers = DEBUG
at DEBUG level the proxy controller will log the contents of all requests and responses
this can be very verbose and is not recommended for production use
splunk.appserver.controllers.proxy = DEBUG
splunk.appserver.lib = DEBUG
splunk.pdfgen = DEBUG
restart splunk
$SPLUNK_HOME/bin
./splunk restart
Tail the web_service.log file in $SPLUNK_HOME/var/log/splunk/
tail -f web_service.log
Tail the splunkd_access.log file in $SPLUNK_HOME/var/log/splunk/
tail -f splunkd_access.log
Log in to the the web UI and generate the change you intend to discover.
In this example we are updating the LDAP Group Name mapping to splunk role to add a role (power) to the existing LDAP Group Name (splunk_test)
actions through the web UI:
Settings>Access Controls> Authentication Method>LDAP Settings>Map groups>click ldap group name > add or remove a role > Save.
Stop tailing the web_service.log and splunkd_access.log once your web UI actions are complete.
in web_service.log you will see the endpoint path and argument key/values passed:
web_service.log:
2015-11-05 20:01:55,759 DEBUG [563bfc036d7f3a387e2290] admin:1120 - endpoint_path:: admin/LDAP-groups/splunk_test.
2015-11-05 20:02:07,945 DEBUG [563bfc0fc77f3a3812f150] admin:989 - Saving Entity to namespace=launcher owner= endpoint_path=admin/LDAP-groups entity_name=splunk_test args={'splunk_form_key': u'3272919072636037471', 'f_ns': u'launcher', 'f_api.strategy': u'your_strategy_name', 'roles': [u'user', u'power']}
in splunkd_access.log you will see the POST similar to:
127.0.0.1 - admin [06/Nov/2015:13:20:52.702 -0500] "POST /servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test HTTP/1.0" 200 3909 - - - 56ms
Piecing this information together you can generate your curl command :
curl -k -u admin:changeme https://localhost:8089/servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test -d roles=user -d roles=power
Disable DEBUG for python in $SPLUNK_HOME/etc/log.cfg
[python]
splunk = INFO
splunk.appserver = INFO
splunk.appserver.controllers = INFO
at DEBUG level the proxy controller will log the contents of all requests and responses
this can be very verbose and is not recommended for production use
splunk.appserver.controllers.proxy = INFO
splunk.appserver.lib = INFO
splunk.pdfgen = INFO
restart splunk
$SPLUNK_HOME/bin
./splunk restart
