at DEBUG level the proxy controller will log the contents of all requests and responses

rphillips_splk · ‎11-06-2015

Did you ever wonder how to see the REST api calls splunk web is making to splunkd when you click around the web UI? There may be a specific task you are trying to perform via REST yet don't know the specific endpoint to hit for the REST api. You can do this through the web UI but are having trouble finding the right syntax for the REST api call?

rphillips_splk · ‎11-06-2015

enable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = DEBUG
splunk.appserver = DEBUG
splunk.appserver.controllers = DEBUG

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = DEBUG
splunk.appserver.lib = DEBUG
splunk.pdfgen = DEBUG

restart splunk
$SPLUNK_HOME/bin
./splunk restart

Tail the web_service.log file in $SPLUNK_HOME/var/log/splunk/

tail -f web_service.log

Tail the splunkd_access.log file in $SPLUNK_HOME/var/log/splunk/

tail -f splunkd_access.log

Log in to the the web UI and generate the change you intend to discover.

In this example we are updating the LDAP Group Name mapping to splunk role to add a role (power) to the existing LDAP Group Name (splunk_test)

actions through the web UI:
Settings>Access Controls> Authentication Method>LDAP Settings>Map groups>click ldap group name > add or remove a role > Save.

Stop tailing the web_service.log and splunkd_access.log once your web UI actions are complete.

in web_service.log you will see the endpoint path and argument key/values passed:

web_service.log:

2015-11-05 20:01:55,759 DEBUG [563bfc036d7f3a387e2290] admin:1120 - endpoint_path:: admin/LDAP-groups/splunk_test.

2015-11-05 20:02:07,945 DEBUG [563bfc0fc77f3a3812f150] admin:989 - Saving Entity to namespace=launcher owner= endpoint_path=admin/LDAP-groups entity_name=splunk_test args={'splunk_form_key': u'3272919072636037471', 'f_ns': u'launcher', 'f_api.strategy': u'your_strategy_name', 'roles': [u'user', u'power']}

in splunkd_access.log you will see the POST similar to:

127.0.0.1 - admin [06/Nov/2015:13:20:52.702 -0500] "POST /servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test HTTP/1.0" 200 3909 - - - 56ms

Piecing this information together you can generate your curl command :

curl -k -u admin:changeme https://localhost:8089/servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test -d roles=user -d roles=power

Disable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = INFO
splunk.appserver = INFO
splunk.appserver.controllers = INFO

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = INFO
splunk.appserver.lib = INFO
splunk.pdfgen = INFO

restart splunk
$SPLUNK_HOME/bin
./splunk restart

View solution in original post

rphillips_splk · ‎11-06-2015

enable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = DEBUG
splunk.appserver = DEBUG
splunk.appserver.controllers = DEBUG

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = DEBUG
splunk.appserver.lib = DEBUG
splunk.pdfgen = DEBUG

restart splunk
$SPLUNK_HOME/bin
./splunk restart

Tail the web_service.log file in $SPLUNK_HOME/var/log/splunk/

tail -f web_service.log

Tail the splunkd_access.log file in $SPLUNK_HOME/var/log/splunk/

tail -f splunkd_access.log

Log in to the the web UI and generate the change you intend to discover.

In this example we are updating the LDAP Group Name mapping to splunk role to add a role (power) to the existing LDAP Group Name (splunk_test)

actions through the web UI:
Settings>Access Controls> Authentication Method>LDAP Settings>Map groups>click ldap group name > add or remove a role > Save.

Stop tailing the web_service.log and splunkd_access.log once your web UI actions are complete.

in web_service.log you will see the endpoint path and argument key/values passed:

web_service.log:

2015-11-05 20:01:55,759 DEBUG [563bfc036d7f3a387e2290] admin:1120 - endpoint_path:: admin/LDAP-groups/splunk_test.

2015-11-05 20:02:07,945 DEBUG [563bfc0fc77f3a3812f150] admin:989 - Saving Entity to namespace=launcher owner= endpoint_path=admin/LDAP-groups entity_name=splunk_test args={'splunk_form_key': u'3272919072636037471', 'f_ns': u'launcher', 'f_api.strategy': u'your_strategy_name', 'roles': [u'user', u'power']}

in splunkd_access.log you will see the POST similar to:

127.0.0.1 - admin [06/Nov/2015:13:20:52.702 -0500] "POST /servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test HTTP/1.0" 200 3909 - - - 56ms

Piecing this information together you can generate your curl command :

curl -k -u admin:changeme https://localhost:8089/servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test -d roles=user -d roles=power

Disable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = INFO
splunk.appserver = INFO
splunk.appserver.controllers = INFO

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = INFO
splunk.appserver.lib = INFO
splunk.pdfgen = INFO

restart splunk
$SPLUNK_HOME/bin
./splunk restart

How to fish with REST?

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Data Persistence in the OpenTelemetry Collector

Thanks for the Memories! Splunk University, .conf25, and our Community

Are you a member of the Splunk Community?

How to fish with REST?

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Data Persistence in the OpenTelemetry Collector

Thanks for the Memories! Splunk University, .conf25, and our Community